Re: [Freeipa-devel] [PATCH 0043] Use mod_auth_gssapi instead of mod_auth_kerb.

2015-03-27 Thread Petr Vobornik 

On 27.3.2015 15:26, David Kupka wrote:

On 03/27/2015 03:14 PM, Rob Crittenden wrote:

David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/4190

To test this on F22 my patch 42 is needed.




NACK.

You need to bump the VERSION in ipa.conf for this file to be replaced on
upgrades.


Thanks for the catch, Rob. I've forget about this.


This also provides an opportunity to drop the cgi-bin configuration.
This is a legacy from IPA v1.0 where people had TONS, loads and heaps of
problems getting Kerberos working so we provided a CGI to spit out the
environment to help with troubleshooting.


If we can safely remove it, we should do it. I did a quick test and it
looks like we everything works without it.



rob



Updated patch attached.



ACK

tested on F22 - both CLI and Web UI
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22.

2015-03-27 Thread Petr Vobornik 

On 27.3.2015 14:58, David Kupka wrote:

pylint changed slightly so we must react otherwise we'll be unable to
build freeipa rpms on Fedora 22. This patch should go to master for sure
but I don't know if we want it in 4.1.



ACK

tested on:
- F21: ipa-4-1, master branch
- F22: master branch.

IMHO it could got to ipa-4-1 branch because of FreeIPA 4.1.4 in F22
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001-2 ipatests: SOA record Maintenance tests

2015-03-27 Thread Martin Basti 

On 27/03/15 16:34, Aleš Mareček wrote:

Greetings!
Martin, thanks for your review and comments!
I changed the name of the patch and setup my git variables properly. I also 
re-tested it and got all passed. I'm sending a new patch that is attached.

- Original Message -

From: "Martin Basti" 
To: "Aleš Mareček" , freeipa-devel@redhat.com
Sent: Tuesday, March 24, 2015 4:39:21 PM
Subject: Re: [Freeipa-devel] [PATCH] 0001 ipatests: SOA record Maintenance tests

On 24/03/15 15:06, Aleš Mareček wrote:

Greetings!
This is my very first patch, ticket#4746.

Have a nice day!
   - alich -



Thank you for the patch. Just nitpicks:

1)
+cleanup_commands = [
+('dnszone_del', [zone6], {'continue': True}),
+('dnszone_del', [zone6b], {'continue': True}),
+]

would be better do it in this way, continue option will to try remove
all zones:
+cleanup_commands = [
+('dnszone_del', [zone6, zone6b], {'continue': True}),
+]


Done.


2)
I'm fine with zone6b, but was there any reason to create zone6b, instead
of reusing zone 1 or 2 or 3?

Because of some updates needs, I didn't want to break anything existing thus I 
created new.


3)
Please fix whitespace errors.
$ git am
freeipa-alich-0001-ipatests-added-tests-for-SOA-record-Maintenance.patch
Applying: ipatests - added tests for SOA record Maintenance
/home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:482: trailing
whitespace.

/home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:758: new blank
line at EOF.
+
warning: 2 lines add whitespace errors.


Done.
$ git am freeipa-alich-0001-2-Ipatests-DNS-SOA-Record-Maintenance.patch
Applying: Ipatests DNS SOA Record Maintenance
$


4)
I know the dns plugin tests are so far from PEP8, but try to keep PEP8
in new code

Done, only 1 line persisted that I didn't want to break:
zone6_unresolvable_ns_relative_dnsname = DNSName(zone6_unresolvable_ns_relative)


Otherwise test works as expected.

Martin^2

--
Martin Basti



Thanks!
  - alich -

Thank you, ACK.

--
Martin Basti

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001-2 ipatests: SOA record Maintenance tests

2015-03-27 Thread Aleš Mareček 
Greetings!
Martin, thanks for your review and comments!
I changed the name of the patch and setup my git variables properly. I also 
re-tested it and got all passed. I'm sending a new patch that is attached.

- Original Message -
> From: "Martin Basti" 
> To: "Aleš Mareček" , freeipa-devel@redhat.com
> Sent: Tuesday, March 24, 2015 4:39:21 PM
> Subject: Re: [Freeipa-devel] [PATCH] 0001 ipatests: SOA record Maintenance 
> tests
> 
> On 24/03/15 15:06, Aleš Mareček wrote:
> > Greetings!
> > This is my very first patch, ticket#4746.
> >
> > Have a nice day!
> >   - alich -
> >
> >
> Thank you for the patch. Just nitpicks:
> 
> 1)
> +cleanup_commands = [
> +('dnszone_del', [zone6], {'continue': True}),
> +('dnszone_del', [zone6b], {'continue': True}),
> +]
> 
> would be better do it in this way, continue option will to try remove
> all zones:
> +cleanup_commands = [
> +('dnszone_del', [zone6, zone6b], {'continue': True}),
> +]
> 

Done.

> 2)
> I'm fine with zone6b, but was there any reason to create zone6b, instead
> of reusing zone 1 or 2 or 3?

Because of some updates needs, I didn't want to break anything existing thus I 
created new.

> 
> 3)
> Please fix whitespace errors.
> $ git am
> freeipa-alich-0001-ipatests-added-tests-for-SOA-record-Maintenance.patch
> Applying: ipatests - added tests for SOA record Maintenance
> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:482: trailing
> whitespace.
> 
> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:758: new blank
> line at EOF.
> +
> warning: 2 lines add whitespace errors.
> 

Done.
$ git am freeipa-alich-0001-2-Ipatests-DNS-SOA-Record-Maintenance.patch
Applying: Ipatests DNS SOA Record Maintenance
$

> 4)
> I know the dns plugin tests are so far from PEP8, but try to keep PEP8
> in new code

Done, only 1 line persisted that I didn't want to break:
zone6_unresolvable_ns_relative_dnsname = DNSName(zone6_unresolvable_ns_relative)

> 
> Otherwise test works as expected.
> 
> Martin^2
> 
> --
> Martin Basti
> 
> 

Thanks!
 - alich -
From fcd2078d138f768383df78896d44e51b606ada3b Mon Sep 17 00:00:00 2001
From: Ales 'alich' Marecek 
Date: Fri, 27 Mar 2015 16:17:10 +0100
Subject: [PATCH] Ipatests DNS SOA Record Maintenance

https://fedorahosted.org/freeipa/ticket/4746
---
 ipatests/test_xmlrpc/test_dns_plugin.py | 757 
 1 file changed, 757 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index 47251ff68e829a0e0944633bd6243e2c2f79935c..a226c80486e4d44a44714a2f7d03e1049d4d37a8 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -120,6 +120,51 @@ zone5_ns_dnsname = DNSName(zone5_ns)
 zone5_rname = u'root.%s' % zone5
 zone5_rname_dnsname = DNSName(zone5_rname)
 
+zone6b = u'zone6b.test'
+zone6b_absolute = u'%s.' % zone6b
+zone6b_dnsname = DNSName(zone6b)
+zone6b_absolute_dnsname = DNSName(zone6b_absolute)
+zone6b_dn = DN(('idnsname', zone6b), api.env.container_dns, api.env.basedn)
+zone6b_absolute_dn = DN(('idnsname', zone6b_absolute),
+api.env.container_dns, api.env.basedn)
+zone6b_rname = u'hostmaster'
+zone6b_rname_dnsname = DNSName(zone6b_rname)
+zone6b_ip = u'172.16.70.1'
+zone6b_ns_arec = u'ns'
+zone6b_ns = u'%s.%s' % (zone6b_ns_arec, zone6b_absolute)
+zone6b_ns_arec_dnsname = DNSName(zone6b_ns_arec)
+zone6b_ns_arec_dn = DN(('idnsname', zone6b_ns_arec), zone6b_dn)
+zone6b_ns_dnsname = DNSName(zone6b_ns)
+zone6b_absolute_arec_dn = DN(('idnsname', zone6b_ns_arec), zone6b_absolute_dn)
+
+zone6 = u'zone6.test'
+zone6_invalid = u'invalid-zone.zone6..test'
+zone6_absolute = u'%s.' % zone6
+zone6_dnsname = DNSName(zone6)
+zone6_absolute_dnsname = DNSName(zone6_absolute)
+zone6_dn = DN(('idnsname', zone6), api.env.container_dns, api.env.basedn)
+zone6_absolute_dn = DN(('idnsname', zone6_absolute),
+   api.env.container_dns, api.env.basedn)
+zone6_ns_relative = u'ns1'
+zone6_absolute_arec_dn = DN(('idnsname', zone6_ns_relative), zone6_absolute_dn)
+zone6_ns = u'%s.%s' % (zone6_ns_relative, zone6_absolute)
+zone6_ns_relative_dnsname = DNSName(zone6_ns_relative)
+zone6_ns_dnsname = DNSName(zone6_ns)
+zone6_ns_arec_dnsname = DNSName(zone6_ns_relative)
+zone6_ns_invalid_dnsname = u'invalid name server! ..%s' % zone6_absolute
+zone6_rname = u'root.%s' % zone6_absolute
+zone6_rname_dnsname = DNSName(zone6_rname)
+zone6_rname_default = u'hostmaster'
+zone6_rname_default_dnsname = DNSName(zone6_rname_default)
+zone6_rname_relative_dnsname = DNSName(u'root')
+zone6_rname_absolute_dnsname = DNSName(u'root.%s' % zone6_absolute)
+zone6_rname_invalid_dnsname = u'invalid ! @ ! .. root..%s' % zone6_absolute
+zone6_unresolvable_ns_relative = u'unresolvable'
+zone6_unresolvable_ns = u'%s.%s' % (zone6_unresolvable_ns_relative,
+zone6_absolute)
+zone6_unresolvable_ns_dnsname = DNSName(zone6_unresolvable_ns)

Re: [Freeipa-devel] [PATCH 0043] Use mod_auth_gssapi instead of mod_auth_kerb.

2015-03-27 Thread Rob Crittenden 
Jan Pazdziora wrote:
> On Fri, Mar 27, 2015 at 03:04:35PM +0100, David Kupka wrote:
>> https://fedorahosted.org/freeipa/ticket/4190
>>
>> --- a/freeipa.spec.in
>> +++ b/freeipa.spec.in
>> @@ -118,7 +118,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
>>  Requires: ntp
>>  Requires: httpd >= 2.4.6-6
>>  Requires: mod_wsgi
>> -Requires: mod_auth_kerb >= 5.4-16
>> +Requires: mod_auth_gssapi
> 
> Do we assume we will no longer do an upstream 4.2 release on
> Fedora 20? Otherwise this should be covered by some %ifs to use
> mod_auth_kerb on Fedora 20.

Fedora 20 only supports 3.3.x so yeah, not needed.

There may be _builds_ of 4.x in F20 but they are not supported.

rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0043] Use mod_auth_gssapi instead of mod_auth_kerb.

2015-03-27 Thread David Kupka 

On 03/27/2015 03:14 PM, Rob Crittenden wrote:

David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/4190

To test this on F22 my patch 42 is needed.




NACK.

You need to bump the VERSION in ipa.conf for this file to be replaced on
upgrades.


Thanks for the catch, Rob. I've forget about this.


This also provides an opportunity to drop the cgi-bin configuration.
This is a legacy from IPA v1.0 where people had TONS, loads and heaps of
problems getting Kerberos working so we provided a CGI to spit out the
environment to help with troubleshooting.


If we can safely remove it, we should do it. I did a quick test and it 
looks like we everything works without it.




rob



Updated patch attached.

--
David Kupka
From 82b197b53124d8ba94bd8daf2393e50aada58f2d Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 25 Mar 2015 05:22:03 -0400
Subject: [PATCH] Use mod_auth_gssapi instead of mod_auth_kerb.

https://fedorahosted.org/freeipa/ticket/4190
---
 freeipa.spec.in|  4 +++-
 init/systemd/ipa.conf.tmpfiles |  1 +
 install/conf/ipa.conf  | 33 ++---
 ipalib/session.py  | 20 ++--
 ipaserver/rpcserver.py |  2 +-
 5 files changed, 21 insertions(+), 39 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 546f3473c5ac8885c6df128b2e3793d76795e85b..8d58f2568e1de418c25cb1bd34fc7d4736a15e54 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -118,7 +118,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: httpd >= 2.4.6-6
 Requires: mod_wsgi
-Requires: mod_auth_kerb >= 5.4-16
+Requires: mod_auth_gssapi >= 1.1.0-2
 Requires: mod_nss >= 1.0.8-26
 Requires: python-ldap >= 2.4.15
 Requires: python-krbV
@@ -463,6 +463,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
 mkdir -p %{buildroot}%{_localstatedir}/run/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
 
 mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
@@ -680,6 +681,7 @@ fi
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
 %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
 %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
 # NOTE: systemd specific section
 %{_tmpfilesdir}/%{name}.conf
 %attr(644,root,root) %{_unitdir}/ipa.service
diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles
index 1e7a896ed8df00c97f2d092504e2a65960bb341d..b4503cc673f3407421cd194091f5373ba204a483 100644
--- a/init/systemd/ipa.conf.tmpfiles
+++ b/init/systemd/ipa.conf.tmpfiles
@@ -1,2 +1,3 @@
 d /var/run/ipa_memcached 0700 apache apache
 d /var/run/ipa 0700 root root
+d /var/run/httpd/clientcaches 0700 apache apache
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 7eede73efc559967925d2bbfeee54e1e2efd3e21..92637c04d4f961a0b7f016fe125341c63f400285 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,9 +1,8 @@
 #
-# VERSION 16 - DO NOT REMOVE THIS LINE
+# VERSION 17 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
-# LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
 ProxyRequests Off
 
@@ -61,19 +60,14 @@ WSGIScriptReloading Off
   SetHandler None
 
 
-KrbConstrainedDelegationLock ipa
-
 # Protect /ipa and everything below it in webspace with Apache Kerberos auth
 
-  AuthType Kerberos
+  AuthType GSSAPI
   AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms $REALM
-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-  KrbSaveCredentials on
-  KrbConstrainedDelegation on
+  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
+  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
+  GssapiDelegCcacheDir /var/run/httpd/clientcaches
+  GssapiUseS4U2Proxy on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
 
@@ -174,21 +168,6 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi"
 AddHandler wsgi-script .py
 
 
-# Protect our CGIs
-
-  AuthType Kerberos
-  AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms $REALM
-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-  KrbSaveCredentials on
-  Require valid-user
-  ErrorDocument 401 /ipa/errors/unauthorized.html
-
-
-
 # migration related pages
 Alias /ipa/migration "/usr/share/ipa/migration"
 
diff --git a/ipalib/session.py b/ipalib/session.py
index ae40fdfe189b3bfd5f0437c04efaab73ac31f88a..2f732b75c837b931c6b16ccfc535e11d7e4c 100644
--- a/ipalib/session.py
+++ b/ipalib/session.py
@@ -484,7 +484,7 @@ improve authentication performance. First some definitions.
 There are 4 major players:
 
   1. client
-  2. mod_auth_kerb (in Apache process)
+  2

Re: [Freeipa-devel] [PATCH 0043] Use mod_auth_gssapi instead of mod_auth_kerb.

2015-03-27 Thread Jan Pazdziora 
On Fri, Mar 27, 2015 at 03:04:35PM +0100, David Kupka wrote:
> https://fedorahosted.org/freeipa/ticket/4190
> 
> --- a/freeipa.spec.in
> +++ b/freeipa.spec.in
> @@ -118,7 +118,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
>  Requires: ntp
>  Requires: httpd >= 2.4.6-6
>  Requires: mod_wsgi
> -Requires: mod_auth_kerb >= 5.4-16
> +Requires: mod_auth_gssapi

Do we assume we will no longer do an upstream 4.2 release on
Fedora 20? Otherwise this should be covered by some %ifs to use
mod_auth_kerb on Fedora 20.

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0043] Use mod_auth_gssapi instead of mod_auth_kerb.

2015-03-27 Thread Rob Crittenden 
David Kupka wrote:
> https://fedorahosted.org/freeipa/ticket/4190
> 
> To test this on F22 my patch 42 is needed.
> 
> 

NACK.

You need to bump the VERSION in ipa.conf for this file to be replaced on
upgrades.

This also provides an opportunity to drop the cgi-bin configuration.
This is a legacy from IPA v1.0 where people had TONS, loads and heaps of
problems getting Kerberos working so we provided a CGI to spit out the
environment to help with troubleshooting.

rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0043] Use mod_auth_gssapi instead of mod_auth_kerb.

2015-03-27 Thread David Kupka 

On 03/27/2015 03:10 PM, Simo Sorce wrote:

On Fri, 2015-03-27 at 15:04 +0100, David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/4190

To test this on F22 my patch 42 is needed.


Please require mod_auth_gssapi >= 1.1.0-2
Any lower version will fail to work.

Otherwise patch looks good to me.

Simo.



Realized few second after I sent it but you're really quick :-)
Thanks for review and help.

Updated patch attached.

--
David Kupka
From 7a6fb4881c534e276787826e36aa35e0c85f9504 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 25 Mar 2015 05:22:03 -0400
Subject: [PATCH] Use mod_auth_gssapi instead of mod_auth_kerb.

https://fedorahosted.org/freeipa/ticket/4190
---
 freeipa.spec.in|  4 +++-
 init/systemd/ipa.conf.tmpfiles |  1 +
 install/conf/ipa.conf  | 28 ++--
 ipalib/session.py  | 20 ++--
 ipaserver/rpcserver.py |  2 +-
 5 files changed, 25 insertions(+), 30 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 546f3473c5ac8885c6df128b2e3793d76795e85b..8d58f2568e1de418c25cb1bd34fc7d4736a15e54 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -118,7 +118,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: httpd >= 2.4.6-6
 Requires: mod_wsgi
-Requires: mod_auth_kerb >= 5.4-16
+Requires: mod_auth_gssapi >= 1.1.0-2
 Requires: mod_nss >= 1.0.8-26
 Requires: python-ldap >= 2.4.15
 Requires: python-krbV
@@ -463,6 +463,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
 mkdir -p %{buildroot}%{_localstatedir}/run/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
 
 mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
@@ -680,6 +681,7 @@ fi
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
 %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
 %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
 # NOTE: systemd specific section
 %{_tmpfilesdir}/%{name}.conf
 %attr(644,root,root) %{_unitdir}/ipa.service
diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles
index 1e7a896ed8df00c97f2d092504e2a65960bb341d..b4503cc673f3407421cd194091f5373ba204a483 100644
--- a/init/systemd/ipa.conf.tmpfiles
+++ b/init/systemd/ipa.conf.tmpfiles
@@ -1,2 +1,3 @@
 d /var/run/ipa_memcached 0700 apache apache
 d /var/run/ipa 0700 root root
+d /var/run/httpd/clientcaches 0700 apache apache
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 7eede73efc559967925d2bbfeee54e1e2efd3e21..1f113756b78446c4d34ca8ea37cacd73deaaf57d 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -3,7 +3,6 @@
 #
 # This file may be overwritten on upgrades.
 #
-# LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
 ProxyRequests Off
 
@@ -61,19 +60,14 @@ WSGIScriptReloading Off
   SetHandler None
 
 
-KrbConstrainedDelegationLock ipa
-
 # Protect /ipa and everything below it in webspace with Apache Kerberos auth
 
-  AuthType Kerberos
+  AuthType GSSAPI
   AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms $REALM
-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-  KrbSaveCredentials on
-  KrbConstrainedDelegation on
+  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
+  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
+  GssapiDelegCcacheDir /var/run/httpd/clientcaches
+  GssapiUseS4U2Proxy on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
 
@@ -176,14 +170,12 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi"
 
 # Protect our CGIs
 
-  AuthType Kerberos
+  AuthType GSSAPI
   AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms $REALM
-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-  KrbSaveCredentials on
+  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
+  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
+  GssapiDelegCcacheDir /var/run/httpd/clientcaches
+  GssapiUseS4U2Proxy on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
 
diff --git a/ipalib/session.py b/ipalib/session.py
index ae40fdfe189b3bfd5f0437c04efaab73ac31f88a..2f732b75c837b931c6b16ccfc535e11d7e4c 100644
--- a/ipalib/session.py
+++ b/ipalib/session.py
@@ -484,7 +484,7 @@ improve authentication performance. First some definitions.
 There are 4 major players:
 
   1. client
-  2. mod_auth_kerb (in Apache process)
+  2. mod_auth_gssapi (in Apache process)
   3. wsgi handler (in IPA wsgi python process)
   4. ds (directory server)
 
@@ -506,12 +506,12 @@ This describes how things work in our current system for the web UI.
 
   2. Client sends post to /ipa/json.
 
-  3. mod_auth_kerb is conf

Re: [Freeipa-devel] [PATCH 0043] Use mod_auth_gssapi instead of mod_auth_kerb.

2015-03-27 Thread Simo Sorce 
On Fri, 2015-03-27 at 15:04 +0100, David Kupka wrote:
> https://fedorahosted.org/freeipa/ticket/4190
> 
> To test this on F22 my patch 42 is needed.

Please require mod_auth_gssapi >= 1.1.0-2
Any lower version will fail to work.

Otherwise patch looks good to me.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0043] Use mod_auth_gssapi instead of mod_auth_kerb.

2015-03-27 Thread David Kupka 

https://fedorahosted.org/freeipa/ticket/4190

To test this on F22 my patch 42 is needed.
--
David Kupka
From 135faa61e0252cc35cca75aa9814610db0883aa4 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 25 Mar 2015 05:22:03 -0400
Subject: [PATCH] Use mod_auth_gssapi instead of mod_auth_kerb.

https://fedorahosted.org/freeipa/ticket/4190
---
 freeipa.spec.in|  2 +-
 init/systemd/ipa.conf.tmpfiles |  1 +
 install/conf/ipa.conf  | 28 ++--
 ipalib/session.py  | 20 ++--
 ipaserver/rpcserver.py |  2 +-
 5 files changed, 23 insertions(+), 30 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 7a1ff8b50ef1b462ad14fb2328149c3c2ed2fb38..b9f38f729d8fcec57d73e26352068d50a9d2cecc 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -118,7 +118,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: httpd >= 2.4.6-6
 Requires: mod_wsgi
-Requires: mod_auth_kerb >= 5.4-16
+Requires: mod_auth_gssapi
 Requires: mod_nss >= 1.0.8-26
 Requires: python-ldap >= 2.4.15
 Requires: python-krbV
diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles
index 1e7a896ed8df00c97f2d092504e2a65960bb341d..b4503cc673f3407421cd194091f5373ba204a483 100644
--- a/init/systemd/ipa.conf.tmpfiles
+++ b/init/systemd/ipa.conf.tmpfiles
@@ -1,2 +1,3 @@
 d /var/run/ipa_memcached 0700 apache apache
 d /var/run/ipa 0700 root root
+d /var/run/httpd/clientcaches 0700 apache apache
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 7eede73efc559967925d2bbfeee54e1e2efd3e21..1f113756b78446c4d34ca8ea37cacd73deaaf57d 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -3,7 +3,6 @@
 #
 # This file may be overwritten on upgrades.
 #
-# LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
 ProxyRequests Off
 
@@ -61,19 +60,14 @@ WSGIScriptReloading Off
   SetHandler None
 
 
-KrbConstrainedDelegationLock ipa
-
 # Protect /ipa and everything below it in webspace with Apache Kerberos auth
 
-  AuthType Kerberos
+  AuthType GSSAPI
   AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms $REALM
-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-  KrbSaveCredentials on
-  KrbConstrainedDelegation on
+  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
+  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
+  GssapiDelegCcacheDir /var/run/httpd/clientcaches
+  GssapiUseS4U2Proxy on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
 
@@ -176,14 +170,12 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi"
 
 # Protect our CGIs
 
-  AuthType Kerberos
+  AuthType GSSAPI
   AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms $REALM
-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-  KrbSaveCredentials on
+  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
+  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
+  GssapiDelegCcacheDir /var/run/httpd/clientcaches
+  GssapiUseS4U2Proxy on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
 
diff --git a/ipalib/session.py b/ipalib/session.py
index ae40fdfe189b3bfd5f0437c04efaab73ac31f88a..2f732b75c837b931c6b16ccfc535e11d7e4c 100644
--- a/ipalib/session.py
+++ b/ipalib/session.py
@@ -484,7 +484,7 @@ improve authentication performance. First some definitions.
 There are 4 major players:
 
   1. client
-  2. mod_auth_kerb (in Apache process)
+  2. mod_auth_gssapi (in Apache process)
   3. wsgi handler (in IPA wsgi python process)
   4. ds (directory server)
 
@@ -506,12 +506,12 @@ This describes how things work in our current system for the web UI.
 
   2. Client sends post to /ipa/json.
 
-  3. mod_auth_kerb is configured to protect /ipa/json, replies 401
+  3. mod_auth_gssapi is configured to protect /ipa/json, replies 401
  authenticate negotiate.
 
   4. Client resends with credentials
 
-  5. mod_auth_kerb validates credentials
+  5. mod_auth_gssapi validates credentials
 
  a. if invalid replies 403 access denied (stops here)
 
@@ -550,7 +550,7 @@ A few notes about the session implementation.
 Changes to Apache's resource protection
 ---
 
-  * /ipa/json is no longer protected by mod_auth_kerb. This is
+  * /ipa/json is no longer protected by mod_auth_gssapi. This is
 necessary to avoid the negotiate expense in steps 3,4,5
 above. Instead the /ipa/json resource will be protected in our wsgi
 handler via the session cookie.
@@ -583,15 +583,15 @@ The new sequence is:
 
   5. client sends request to /ipa/login to obtain session credentials
 
-  6. mod_auth_kerb replies 401 negotiate on /ipa/login
+  6. mod_auth_gssapi replies 401 negotiate on /ipa/login
 
   7. client sends credentials to /ipa/login
 
-  8. mod_auth_kerb validates credentials
+  8. mod_auth_gssapi validates credentials
 
  a. if valid
 
-- mod_auth_kerb permits access to /ipa/login.

[Freeipa-devel] [PATCH 0042] Make lint work on Fedora 22.

2015-03-27 Thread David Kupka 
pylint changed slightly so we must react otherwise we'll be unable to 
build freeipa rpms on Fedora 22. This patch should go to master for sure 
but I don't know if we want it in 4.1.

--
David Kupka
From a0ffcd6f8ba610c20808a2f863d384b7631c64ac Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 27 Mar 2015 07:14:27 -0400
Subject: [PATCH] Make lint work on Fedora 22.

pylint added 'confidence' parameter to 'add_message' method of PyLinter.
To be compatible with both, pre- and post- 1.4  IPALinter must accept
the parameter but not pass it over.
Also python3 checker was added and enabled by default. FreeIPA is still
not ready for python3.
Additionally few false-positives was marked.
---
 ipalib/plugins/otptoken.py   | 1 +
 ipapython/dnssec/ldapkeydb.py| 1 +
 ipaserver/install/ipa_otptoken_import.py | 1 +
 make-lint| 3 ++-
 4 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index b87145df80a3be9b16d596dd4072129c2290f40a..867659ec2a867b2dba79922a4e98b7b6254e81bf 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -547,6 +547,7 @@ class otptoken_sync(Local):
 query = urllib.urlencode(query)
 
 # Sync the token.
+# pylint: disable=E1101
 handler = HTTPSHandler(ca_certs=os.path.join(self.api.env.confdir, 'ca.crt'),
cert_reqs=ssl.CERT_REQUIRED,
ssl_version=ssl.PROTOCOL_TLSv1)
diff --git a/ipapython/dnssec/ldapkeydb.py b/ipapython/dnssec/ldapkeydb.py
index 71c0a95a39b1b460178d0b853ed26bf2cfe5bda1..520b510707d432d2e432c55ca25f2a872d832348 100644
--- a/ipapython/dnssec/ldapkeydb.py
+++ b/ipapython/dnssec/ldapkeydb.py
@@ -23,6 +23,7 @@ def uri_escape(val):
 assert len(val) > 0, "zero-length URI component detected"
 hexval = hexlify(val)
 out = '%'
+# pylint: disable=E1127
 out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2))
 return out
 
diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
index b78aba93a2edc987450d921c87ea4f61b014b419..c6a69c9975cc113c10d0dee669f9db619422a9d3 100644
--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
@@ -60,6 +60,7 @@ def convertDate(value):
 
 dt = dateutil.parser.parse(value)
 
+# pylint: disable=E1101
 if dt.tzinfo is None:
 dt = datetime.datetime(*dt.timetuple()[0:6],
tzinfo=dateutil.tz.tzlocal())
diff --git a/make-lint b/make-lint
index bd0eb4d75c50c794dbd40444ab035df5a5153d6c..8016d1c3554944d7799aefe0242f4f844e76e32c 100755
--- a/make-lint
+++ b/make-lint
@@ -143,7 +143,7 @@ class IPALinter(PyLinter):
 return
 super(IPALinter, self).register_checker(checker)
 
-def add_message(self, msg_id, line=None, node=None, args=None):
+def add_message(self, msg_id, line=None, node=None, args=None, confidence=None):
 if line is None and node is not None:
 line = node.fromlineno
 
@@ -235,6 +235,7 @@ def main():
 '{path}:{line}: [{msg_id}({symbol}), {obj}] {msg})')
 linter.set_option('reports', False)
 linter.set_option('persistent', False)
+linter.set_option('disable', 'python3')
 
 linter.check(files)
 
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] ipatests: port of p11helper test from github

2015-03-27 Thread Milan Kubik 

Hi,

On 03/24/2015 04:40 PM, Martin Basti wrote:

On 24/03/15 14:41, Milan Kubik wrote:

Hello,

thanks for the review.

On 03/24/2015 12:39 PM, Martin Basti wrote:

On 17/03/15 10:38, Milan Kubik wrote:

Hi,

On 03/16/2015 05:23 PM, Martin Basti wrote:

On 16/03/15 15:32, Milan Kubik wrote:

On 03/16/2015 12:03 PM, Milan Kubik wrote:

On 03/13/2015 02:59 PM, Milan Kubik wrote:

Hi,

this is a patch with port of [1] to pytest.

[1]: 
https://github.com/spacekpe/freeipa-pkcs11/blob/master/python/run.py 



Cheers,
Milan



Added few more asserts in methods where the test could fail and 
cause other errors.



New version of the patch after brief discussion with Martin 
Basti. Removed unnecessary variable assignments and separated a 
new test case.




Hello,

thank you for the patch.
I have a few nitpicks:
1)
You can remove this and use just hexlify(s)
+def str_to_hex(s):
+return ''.join("{:02x}".format(ord(c)) for c in s)

done


2)
+ def test_find_secret_key(self, p11):
+ assert p11.find_keys(_ipap11helper.KEY_CLASS_SECRET_KEY, 
label=u"žžž-aest")


In tests before you tested the exact number of expected IDs 
returned by find_keys method, why not here?

Lack of attention.
Fixed the assert in `test_search_for_master_key` which does the 
same thing. Merged `test_find_secret_key` with 
`test_search_for_master_key` where it belongs.


Martin^2


Milan



Thank you for patches, just two nitpicks:

1)
Can you use the ipaplatform.paths constant? This is platform specific.
LIBSOFTHSM2_SO = "/usr/lib/pkcs11/libsofthsm2.so"
LIBSOFTHSM2_SO_64 = "/usr/lib64/pkcs11/libsofthsm2.so"

Respectively use just LIBSOFTHSM2_SO, on 64bit systems it is 
automatically mapped into LIBSOFTHSM2_SO_64


instead of:
+
+libsofthsm = "/usr/lib64/pkcs11/libsofthsm2.so"
+


Done.

2)
Can you please check if keys were really deleted?
+def test_delete_key(self, p11):

Done.

--
Martin Basti


I also moved `test_search_for_master_key` right after 
`test_generate_master_key` and changed the assert message to a more 
specific one.


Cheers,
Milan

Please fix this:

1)
$ git am 
freeipa-mkubik-0001-5-ipatests-port-of-p11helper-test-from-github.patch

Applying: ipatests: port of p11helper test from github
/home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:228: new blank 
line at EOF.

+
warning: 1 line adds whitespace errors.


fixed (TIL: vim doesn't show the last empty line)

2) Please respect PEP8 if it is possible
Mostly done, there are few instances of long variable names off by few 
characters.


3)
I'm still not sure with this:
assert len(master_key) == 0, "The master key should be deleted."

following example is more pythonic
assert not master_key, "The master key"


Changed to the latter variant.

4)
Related to 3), should we test return value, if correct type was returned?
assert isinstance(master_key, list) and not master_key, "."
I do not insist on this.

Otherwise it works as expected.
--
Martin Basti


Milan
>From 64308fc10192ed7892845dd17d5bcb42846d55c2 Mon Sep 17 00:00:00 2001
From: Milan Kubik 
Date: Thu, 12 Mar 2015 16:52:33 +0100
Subject: [PATCH] ipatests: port of p11helper test from github

Ported the github hosted [1] script to use pytest's abilities
and included it in ipatests/test_ipapython directory.

[1]: https://github.com/spacekpe/freeipa-pkcs11/blob/master/python/run.py

https://fedorahosted.org/freeipa/ticket/4829
---
 ipatests/test_ipapython/test_ipap11helper.py | 271 +++
 make-lint|   2 +-
 2 files changed, 272 insertions(+), 1 deletion(-)
 create mode 100644 ipatests/test_ipapython/test_ipap11helper.py

diff --git a/ipatests/test_ipapython/test_ipap11helper.py b/ipatests/test_ipapython/test_ipap11helper.py
new file mode 100644
index ..56083c96aa935c36e83eacfc510afbe75c0c78ab
--- /dev/null
+++ b/ipatests/test_ipapython/test_ipap11helper.py
@@ -0,0 +1,271 @@
+# -*- coding: utf-8 -*-
+# Authors:
+#   Milan Kubik 
+#
+# Copyright (C) 2015  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+"""
+Test the `ipapython/ipap11helper/p11helper.c` module.
+"""
+
+
+from binascii import hexlify
+import os
+import os.path
+import logging
+import subprocess
+import tempfile
+
+import pytest
+from ipaplatform.paths import paths
+
+import _ipap11helper
+
+
+C

Re: [Freeipa-devel] FreeIPA 4.1.4 upstream repo for RHEL 7 is broken

2015-03-27 Thread Jan Pazdziora 
On Fri, Mar 27, 2015 at 09:15:29AM +0100, Jan Pazdziora wrote:
> On Thu, Mar 26, 2015 at 06:14:34PM +0100, Petr Vobornik wrote:
> > The FreeIPA team would like to announce FreeIPA v4.1.4 security release!
> > 
> > It can be downloaded from http://www.freeipa.org/page/Downloads. The builds
> > will be available for Fedora 21. Builds for Fedora 20 are available in the
> > official COPR repository
> > .
> 
> I've noticed that the RHEL/EPEL 7 upstream repo was updated as well.
> 
> However, that repo is currently broken when used on RHEL 7.1:
> 
>   # curl -o /etc/yum.repos.d/mkosek-freeipa-epel-7.repo 
> https://copr.fedoraproject.org/coprs/mkosek/freeipa/repo/epel-7/mkosek-freeipa-epel-7.repo
>   [...]
>   # yum install -y freeipa-server
>   [...]
>   --> Finished Dependency Resolution
>   Error: Package: freeipa-server-4.1.4-1.el7.centos.x86_64 
> (mkosek-freeipa)
>  Requires: slapi-nis >= 0.54.2-1
>  Available: slapi-nis-0.52-4.el7.x86_64 (rhel-7-server-rpms)
>  slapi-nis = 0.52-4.el7
>  Available: slapi-nis-0.54-2.el7.x86_64 (rhel-7-server-rpms)
>  slapi-nis = 0.54-2.el7
>  Available: slapi-nis-0.54-3.el7_1.x86_64 (rhel-7-server-rpms)
>  slapi-nis = 0.54-3.el7_1
>  Available: slapi-nis-0.54.1-1.el7.centos.x86_64 
> (mkosek-freeipa)
>  slapi-nis = 0.54.1-1.el7.centos
>You could try using --skip-broken to work around the problem
>You could try running: rpm -Va --nofiles --nodigest

I confirm that with latest fixes to the repo, things work both on
Fedora 20 and CentOS 7.

I've triggered rebuild of respective *-upstream images of

https://registry.hub.docker.com/u/adelton/freeipa-server/

and they passed as well.

Thank you,

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] User life cycle: changes in user plugin commands

2015-03-27 Thread thierry bordaz 

On 03/27/2015 10:20 AM, Martin Kosek wrote:

On 03/26/2015 10:32 PM, Dmitri Pal wrote:

On 03/26/2015 04:24 PM, thierry bordaz wrote:

On 03/26/2015 08:53 PM, Dmitri Pal wrote:

On 03/26/2015 02:33 PM, thierry bordaz wrote:

On 03/26/2015 04:21 PM, Martin Kosek wrote:

First, I think *this* thread should better be on freeipa-devel since it is
only
upstream feature specific, no planning inside.

On 03/26/2015 02:02 PM, thierry bordaz wrote:

On 03/26/2015 01:02 PM, David Kupka wrote:

Hi Thierry!

On 03/26/2015 11:45 AM, thierry bordaz wrote:

Hello,

  In user life cycle, when a stage entry is activated it is moved from
  a stage container to an active container.
  Then when an active entry is deleted it is moved to a delete
container.

  The move stage->active is done by creating a new entry (ADD active,
  DEL stage).
  The move active->delete can be done with a MODRDN of the entry or
  also ADD delete_entry + DEL active_entry.
  I was wondering what is the best approach: MODRDN vs ADD-DEL.

Why did we choose ADD-DEL over MODRDN in stage->active procedure? Could we
use the same reasoning to repeat the choice?

ADD-DEL was preferred (for activate) mainly because there are provisioning
systems. So the stage entry can contain invalid values or missing some
attributes/values. We need to rebuild a very clean entry, picking some
values
from the stage entry, if the values are valid.

The original proposal was MODRDN to also allow us control the operation with
the MODRDN ACIs you added to DS. You cannot really control DEL and ADD
operation together, so you would have to allow the person who activates the
entries to delete any staged user and add a new active user.

I agree, MODRDN was the original proposal but finally ADD-DEL was choosen
because entries added by provisioning system should be validated (in
particular structural objectclass
https://www.redhat.com/archives/freeipa-devel/2014-May/msg00471.html).

That means that the helpdesk person that has rights to ADD on active
container need DEL rights on staging.
In fact MODRDN ACI brings an additional control, where the helpdesk person
does not need that rights.

This is original section I added for this reasoning:
http://www.freeipa.org/index.php?title=V4/User_Life-Cycle_Management#MODRDN_vs._ADD-DEL


Why cannot the activate command be multistep? I.e. move the entry to active
users, generate missing fields and enable the entry? It could also trigger
automember for that user, we have commands for it.

I think it is also feasible.
Just a remark if the stage entry has a userpassword/krbPrincipalKey, at the
time it is modrdn to active container we can authenticate with it.
This even if all the initialization steps are not completed.

In this case, I see the benefits for ADD-DEL. It would have to be done anyway,
if structural objectclasses are added to the entry, right?

Please just make sure to include the end result and reasoning to the cleaned
wiki design.


Sure. I am doing this right now.



For user-del, the active entry is valid, we just want to clear some
attributes.
Actually digging into the archive it was already discussed
https://www.redhat.com/archives/freeipa-devel/2014-June/msg00080.html
leading
to MODRDN !

I would really prefer custom LDAP plugin that would do the processing of
delete
entry (re-add it or convert DEL to MODRDN, if possible). The reason is that
with this approach, people/software would be still able to use standard
ldapdelete operation to delete users instead of figuring out they need to
MODRDN it to some location to keep the company policies.

The ticket 3911 says: [RFE] Allow managing users add/modify/*delete* via LDAP
client. With MODRDN DEL approach, you are breaking the delete part.

That is right, using DS plugin it hides some complexity at the application
level.
If we introduce user-del options '--preserve|--permanent', we would need to
give this option to the DEL (control ?).

Hm. I do not see it that way.
I see that command has two options do a MODRDN (--preserve) or DEL
(--permanent) depending on flags. This is the decision made in framework
before it hits DS. So I am not sure anything should be given to the control.
It would be invoked only in case of MOD. In case of DEL everything would
work as now. No?

(adding freeipa-devel)

If this is the application or CLI that decides what to do, I agree that
--preserve will issue a MODRDN and --permanent a DEL.

My understanding of Martin point, is that the application/CLI should not
decide but just issue a DEL.
This would be the job of a DS plugin to convert the DEL into a MODRDN (or
ADD-DEL) to move the entry from active to delete container.

In that case, DS plugin needs to decide if the DEL intend to preserve the
entry (move to delete container) or permanently delete the entry (true ldap
delete).
I was wondering how to give to DS plugin the way to decide: configuration
parameter, DEL control..

I see but this seem more complicated than what I pr

Re: [Freeipa-devel] [PATCH] extop: For printf formatting warning

2015-03-27 Thread Sumit Bose 
On Thu, Mar 26, 2015 at 07:40:16PM +0100, Lukas Slebodnik wrote:
> On (18/03/15 12:33), Jakub Hrozek wrote:
> >On Wed, Mar 18, 2015 at 11:39:15AM +0100, Sumit Bose wrote:
> >> On Wed, Mar 18, 2015 at 11:25:14AM +0100, Jakub Hrozek wrote:
> >> > I could swear I sent the patch last time when I was reviewing Sumit's
> >> > patches but apparently not.
> >> > 
> >> > It's better to use %zu instead of %d for size_t formatting with recent
> >> > compilers.
> >> 
> >> > >From a088e8c8a9bd29b4c22f1579f2c3705652bf2730 Mon Sep 17 00:00:00 2001
> >> > From: Jakub Hrozek 
> >> > Date: Wed, 18 Mar 2015 11:20:38 +0100
> >> > Subject: [PATCH] extop: For printf formatting warning
> >> > 
> >> > ---
> >> >  daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c | 2 +-
> >> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >> > 
> >> > diff --git 
> >> > a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c 
> >> > b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
> >> > index 
> >> > 708d0e4a2fc9da4f87a24a49c945587049f7280f..bc25e7643cdebe0eadc0cee4dcba3a392fdc33be
> >> >  100644
> >> > --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
> >> > +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
> >> > @@ -200,7 +200,7 @@ static int ipa_extdom_init_ctx(Slapi_PBlock *pb, 
> >> > struct ipa_extdom_ctx **_ctx)
> >> >  if (ctx->max_nss_buf_size == 0) {
> >> >  ctx->max_nss_buf_size = DEFAULT_MAX_NSS_BUFFER;
> >> >  }
> >> > -LOG("Maximal nss buffer size set to [%d]!\n", 
> >> > ctx->max_nss_buf_size);
> >> > +LOG("Maximal nss buffer size set to [%zu]!\n", 
> >> > ctx->max_nss_buf_size);
> >> 
> >> I tried this some time ago and found the here not the glibc printf
> >> version is used but I guess some NSPR implementation which does not
> >> support the z specifier. So I would assum that this is not working as
> >> expected. Have you tried to trigger the error message or called LOG
> >> unconditionally with '%zu' ?
> >
> >No, I only tried compiling the code. I haven't expected non-standard
> >printf to be used. sorry.
> >
> >Then what about casting max_nss_buf_size to something large that the NSPR
> >implementation can handle (unsigned long?)
> >
> You can use th modifier "j" and cast to uintmax_t or intmax_t
> 
> man 3 printf says:
>   j  A  following  integer  conversion  corresponds to an intmax_t or
>   uintmax_t argument, or a following n conversion corresponds to a
>   pointer to an intmax_t argument.

looks like NSPR only knows about 'h', 'l' and 'll', see
http://www-archive.mozilla.org/projects/nspr/reference/html/prprf.html#23299
for details.

bye,
Sumit

> 
> LS
> 
> -- 
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Announcing FreeIPA 4.1.4

2015-03-27 Thread Alexander Bokovoy 

On Fri, 27 Mar 2015, Petr Vobornik wrote:

On 03/27/2015 10:22 AM, Jan Pazdziora wrote:

On Fri, Mar 27, 2015 at 10:48:20AM +0200, Alexander Bokovoy wrote:


For Fedora there is updates-testing repository that fits the goal
of testing before applying to the actual deployment if you have any
(I do


The problem is, the 4.1.4 bits are not even in updates-testing yet:

http://dl.fedoraproject.org/pub/fedora/linux/updates/testing/21/x86_64/f/

So we did not really provide the release on Fedora 21 to the
community.



There is always a question whether an upstream release announcement 
should wait for downstream release. I could see arguments for both 
answers.


But we clearly stated:

It can be downloaded from http://www.freeipa.org/page/Downloads. The
builds will be available for Fedora 21. Builds for Fedora 20 are
available in the official COPR repository
.


1) "It can be downloaded from http://www.freeipa.org/page/Downloads";
 True, the tarball is there
2) "The builds will be available for Fedora 21."
 True (they are not yet, but WILL BE)
3) "Builds for Fedora 20 are available in the official COPR repository"
 True, although there was the issues with missing slapi-nis build 
which should be resolved now

Yep. And Fedora infrastructure was under heavy hammer last week or so
which caused overall delay in processing updates for all repositories.
This is not something that happens every time so I think Jan's
complaints are far from being fair.

We considered yesterday with Petr to wait until packages will be pushed
but decided to give a go due to CVE. Packages are built and available,
an upgrade on Fedora can be done with the help of koji tool if need to
fix your deployment is high. If we would have kept announcements until
Fedora have solved their issues, we would do unfair service to our
users.

Using COPR as a solution here is wrong, though. I know, I had one user
who took my OTP COPR test repo bits and used them in production for about a
year even long after packages were pushed out to Fedora proper. 
--

/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Announcing FreeIPA 4.1.4

2015-03-27 Thread Petr Vobornik 

On 03/27/2015 10:31 AM, Petr Vobornik wrote:

On 03/27/2015 10:22 AM, Jan Pazdziora wrote:

On Fri, Mar 27, 2015 at 10:48:20AM +0200, Alexander Bokovoy wrote:


For Fedora there is updates-testing repository that fits the goal
of testing before applying to the actual deployment if you have any
(I do


The problem is, the 4.1.4 bits are not even in updates-testing yet:

http://dl.fedoraproject.org/pub/fedora/linux/updates/testing/21/x86_64/f/

 So we did not really provide the release on Fedora 21 to the
community.



There is always a question whether an upstream release announcement
should wait for downstream release. I could see arguments for both answers.

But we clearly stated:

It can be downloaded from http://www.freeipa.org/page/Downloads. The
builds will be available for Fedora 21. Builds for Fedora 20 are
available in the official COPR repository
.


1) "It can be downloaded from http://www.freeipa.org/page/Downloads";
   True, the tarball is there
2) "The builds will be available for Fedora 21."
   True (they are not yet, but WILL BE)


And if one doesn't want to wait for Fedora process, he can always 
download them from koji. The announcement is usually send when the 
builds are ready. Sometimes I wait for the push, but in general it 
doesn't change anything. We can't speed up the process and doing new 
repos just for impatient people IMO isn't worth the time.



3) "Builds for Fedora 20 are available in the official COPR repository"
   True, although there was the issues with missing slapi-nis build
which should be resolved now

--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Announcing FreeIPA 4.1.4

2015-03-27 Thread Petr Vobornik 

On 03/27/2015 10:22 AM, Jan Pazdziora wrote:

On Fri, Mar 27, 2015 at 10:48:20AM +0200, Alexander Bokovoy wrote:


For Fedora there is updates-testing repository that fits the goal
of testing before applying to the actual deployment if you have any
(I do


The problem is, the 4.1.4 bits are not even in updates-testing yet:

http://dl.fedoraproject.org/pub/fedora/linux/updates/testing/21/x86_64/f/

 So we did not really provide the release on Fedora 21 to the
community.



There is always a question whether an upstream release announcement 
should wait for downstream release. I could see arguments for both answers.


But we clearly stated:

It can be downloaded from http://www.freeipa.org/page/Downloads. The
builds will be available for Fedora 21. Builds for Fedora 20 are
available in the official COPR repository
.


1) "It can be downloaded from http://www.freeipa.org/page/Downloads";
  True, the tarball is there
2) "The builds will be available for Fedora 21."
  True (they are not yet, but WILL BE)
3) "Builds for Fedora 20 are available in the official COPR repository"
  True, although there was the issues with missing slapi-nis build 
which should be resolved now

--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Announcing FreeIPA 4.1.4

2015-03-27 Thread Jan Pazdziora 
On Fri, Mar 27, 2015 at 10:48:20AM +0200, Alexander Bokovoy wrote:
>
> For Fedora there is updates-testing repository that fits the goal of
> testing before applying to the actual deployment if you have any (I do

The problem is, the 4.1.4 bits are not even in updates-testing yet:


http://dl.fedoraproject.org/pub/fedora/linux/updates/testing/21/x86_64/f/

So we did not really provide the release on Fedora 21 to the
community.

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Announcing FreeIPA 4.1.4

2015-03-27 Thread Alexander Bokovoy 

On Fri, 27 Mar 2015, Jan Pazdziora wrote:

On Fri, Mar 27, 2015 at 09:50:56AM +0200, Alexander Bokovoy wrote:

>is in testing and it will be a while before it gets to Fedora proper,
>copr repo would give us a stable (no fiddling with updates-testing
>enablement) yum source.

No, it is not making sense to duplicate Fedora repositories. If you want
to get packages heading to stable repository faster, do the testing and
apply karma. We can get to stable as soon as karma is reached.


But the goal here is not to get to stable faster, quite the contrary.
The goal is to be able to take your time with testing in all sorts of
scenarios before the bits hit stable Fedora.

If you want *that*, use your own COPR. I don't have time to maintain
dozen variants of the repositories for the same distribution releases
just for the sake of false feeling of stability. You need to test during
development, we have upstream QE testing effort aiming at this as well.

For Fedora there is updates-testing repository that fits the goal of
testing before applying to the actual deployment if you have any (I do
have my infrastructure deployed on Fedora).
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] FreeIPA 4.1.4 upstream repo for RHEL 7 is broken

2015-03-27 Thread Jan Pazdziora 
On Thu, Mar 26, 2015 at 06:14:34PM +0100, Petr Vobornik wrote:
> The FreeIPA team would like to announce FreeIPA v4.1.4 security release!
> 
> It can be downloaded from http://www.freeipa.org/page/Downloads. The builds
> will be available for Fedora 21. Builds for Fedora 20 are available in the
> official COPR repository
> .

I've noticed that the RHEL/EPEL 7 upstream repo was updated as well.

However, that repo is currently broken when used on RHEL 7.1:

# curl -o /etc/yum.repos.d/mkosek-freeipa-epel-7.repo 
https://copr.fedoraproject.org/coprs/mkosek/freeipa/repo/epel-7/mkosek-freeipa-epel-7.repo
[...]
# yum install -y freeipa-server
[...]
--> Finished Dependency Resolution
Error: Package: freeipa-server-4.1.4-1.el7.centos.x86_64 
(mkosek-freeipa)
   Requires: slapi-nis >= 0.54.2-1
   Available: slapi-nis-0.52-4.el7.x86_64 (rhel-7-server-rpms)
   slapi-nis = 0.52-4.el7
   Available: slapi-nis-0.54-2.el7.x86_64 (rhel-7-server-rpms)
   slapi-nis = 0.54-2.el7
   Available: slapi-nis-0.54-3.el7_1.x86_64 (rhel-7-server-rpms)
   slapi-nis = 0.54-3.el7_1
   Available: slapi-nis-0.54.1-1.el7.centos.x86_64 
(mkosek-freeipa)
   slapi-nis = 0.54.1-1.el7.centos
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Announcing FreeIPA 4.1.4

2015-03-27 Thread Jan Pazdziora 
On Fri, Mar 27, 2015 at 09:50:56AM +0200, Alexander Bokovoy wrote:
> >is in testing and it will be a while before it gets to Fedora proper,
> >copr repo would give us a stable (no fiddling with updates-testing
> >enablement) yum source.
>
> No, it is not making sense to duplicate Fedora repositories. If you want
> to get packages heading to stable repository faster, do the testing and
> apply karma. We can get to stable as soon as karma is reached.

But the goal here is not to get to stable faster, quite the contrary.
The goal is to be able to take your time with testing in all sorts of
scenarios before the bits hit stable Fedora.

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Announcing FreeIPA 4.1.4

2015-03-27 Thread Alexander Bokovoy 

On Fri, 27 Mar 2015, Jan Pazdziora wrote:

On Thu, Mar 26, 2015 at 06:14:34PM +0100, Petr Vobornik wrote:

The FreeIPA team would like to announce FreeIPA v4.1.4 security release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The builds
will be available for Fedora 21. Builds for Fedora 20 are available in the
official COPR repository
.


The description at that page still only mentions 4.1.3, it should
likely be updated.

Does it make sense to start making upstream copr repos for Fedora 21
and possibly Fedora 22 as well? The

https://admin.fedoraproject.org/updates/freeipa-4.1.4-1.fc21

is in testing and it will be a while before it gets to Fedora proper,
copr repo would give us a stable (no fiddling with updates-testing
enablement) yum source.

No, it is not making sense to duplicate Fedora repositories. If you want
to get packages heading to stable repository faster, do the testing and
apply karma. We can get to stable as soon as karma is reached.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Announcing FreeIPA 4.1.4

2015-03-27 Thread Jan Pazdziora 
On Thu, Mar 26, 2015 at 06:14:34PM +0100, Petr Vobornik wrote:
> The FreeIPA team would like to announce FreeIPA v4.1.4 security release!
> 
> It can be downloaded from http://www.freeipa.org/page/Downloads. The builds
> will be available for Fedora 21. Builds for Fedora 20 are available in the
> official COPR repository
> .

The description at that page still only mentions 4.1.3, it should
likely be updated.

Does it make sense to start making upstream copr repos for Fedora 21
and possibly Fedora 22 as well? The

https://admin.fedoraproject.org/updates/freeipa-4.1.4-1.fc21

is in testing and it will be a while before it gets to Fedora proper,
copr repo would give us a stable (no fiddling with updates-testing
enablement) yum source.

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code