Re: [Freeipa-devel] [PATCH] 0771 Package python3-ipaclient

2016-02-28 Thread Jan Cholasta 

Hi,

On 22.2.2016 12:35, Petr Viktorin wrote:

Hello,
This will make a python3-ipaclient RPM.


Thanks, ACK.

Added a missing newline, rebased and pushed to:
master: ec95ffaa529b3de61b12c85ce01e4b2f1d0c65b3
ipa-4-3: f714cb46923b23181daf20d72e34202ea0aacfd8

Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES] 0772-0774 Python3 fixes in for client installation

2016-02-28 Thread Jan Cholasta 

Hi,

On 26.2.2016 17:14, Petr Viktorin wrote:

On 02/22/2016 12:37 PM, Petr Viktorin wrote:

Hello,
These fixes are needed for the "happy path" of ipa-client-install
--server on Python 3.


Hello,
Could someone please look at these patches?


Patch 0772:

1) Instead of decoding when the type is bytes in get_ipa_basedn(), read 
attribute values from 'entry.raw' rather than 'entry' and decode always.



2) get_ipa_basedn() is used only in ipadiscovery, perhaps we should move 
it there?



Patch 0773: ACK, but the patch does not apply on ipa-4-3.


Patch 0774: ACK.


Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Adding URL to HBAC rule

2016-02-28 Thread Martin Kosek 
On 02/26/2016 04:38 PM, Lukáš Hellebrandt wrote:
> On 02/26/2016 01:30 PM, Martin Kosek wrote:
>> Greetings, welcome!
>>
>> On 02/26/2016 01:17 PM, Lukáš Hellebrandt wrote:
>> ...
>>> Btw, is there some better place to share patches than a pasting tool?
>>> Maybe some form of pull request?
>>
>> There is :-) Please see advise here:
>>
>> http://www.freeipa.org/page/Contribute/Code#Submit_a_patch
>>
>> It has more information on top of submitting patches. For example, I think it
>> would actually make sense to start with a design page where you would 
>> describe
>> the use cases, design, APIs, etc:
>>
>> http://www.freeipa.org/page/Contribute/Code#Prepare
>>
>> Martin
>>
> 
> Should I send it as an attachment?

Right.

> Ok, sending, but do not apply it yet
> (even if you don't find bugs), I just need some feedback - not
> everything is done yet.

The patch looks OK, but there is not much in the patch anyway, yet. But as I
written above I would suggest starting with a design document you share with
the other developers, so that you can be given an advise and feedback regarding
the approach and overall design.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Design review request: RFC 2818 certificate compliance

2016-02-28 Thread Fraser Tweedale 
Hi all (especially those interested in certificates),

Please provide early review of my design for RFC 2818 compliance
which will address the following tickets:

- #4970 Server certificate profile should always include a Subject Alternate 
name for the host
- #5706 [RFE] Support SAN-only certificates

http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance

The design is a WIP and there is no code for it yet.  Looking for
feedback and (hopefully) validation of the approach before
committing cycles to implementing new profile components in Dogtag.

Thanks in advance,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 200] slapi-nis: update configuration to allow external members

2016-02-28 Thread Jan Cholasta 

On 26.2.2016 21:38, Lukas Slebodnik wrote:

On (26/02/16 12:37), Tomas Babej wrote:



On 02/26/2016 07:30 AM, Jan Cholasta wrote:

On 22.2.2016 19:56, Tomas Babej wrote:



On 02/22/2016 06:14 PM, Alexander Bokovoy wrote:

On Mon, 22 Feb 2016, Tomas Babej wrote:



On 02/22/2016 11:48 AM, Alexander Bokovoy wrote:

Hi,

attached patch should update compat tree configuration if it exist to
follow slapi-nis 0.55 which has support for external members of IPA
groups.

However, the real work is done in SSSD. These patches are not
upstreamed
yet. We'll need to bump SSSD dependency in future once they come to
distros.





This looks good.

However, the new update file needs to be added to Makefile.am.
Additionally, patch adds a whitespace error.

Updated patch is attached.



ACK.

This should not be pushed until the dependency for SSSD can be bumped.


https://bodhi.fedoraproject.org/updates/FEDORA-2016-d872920f74



Attaching the required spec change.

Tomas



From dae8b8fd0b23bf25ccf75b275deaa5c599faa27b Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Fri, 26 Feb 2016 12:35:09 +0100
Subject: [PATCH] spec: Bump required sssd version to 1.13.3-5

Required as part of: https://fedorahosted.org/freeipa/ticket/4403

  ^
There isn't mentioned sssd related ticket in slapi-nis bug
It would be good to add also sssd related ticket to commit message
https://fedorahosted.org/sssd/ticket/2522


+1, that's  in IPA.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0001] Add new parameter --ssh-update to ipa-client-install

2016-02-28 Thread Martin Štefany 
Hi,

I did as Jan suggested, everything is now a new command 'ipa-sshupdate', 
(so it's based on Jan's 'ipa-certupdate', yeah, a bit of copy-paste),
rest is based on ipa-client-install's code. I'm not sure if this is
correct, but you might want to change ipa-client-install to just 'import
ipaclient.ipa_sshupdate' for ssh update, or not - I'm not sure how this
is compatible with 'code deduplication', 're-usage', etc.

Another open point from my side is PEP8 compliance, I've ran the new
code through pep8 utility with defaults and it's 'OK'. But so is code in
my employer's project and they look slightly 'different', mainly for
brackets, strings, etc. Please, have a look to that, too, I'm happy for
any guidance.

Martin

On Št, 2016-02-25 at 14:36 +0100, Jan Cholasta wrote:
> Hi,
> 
> On 25.2.2016 14:23, Martin Basti wrote:
> > 
> > 
> > 
> > On 22.02.2016 22:13, Martin Štefany wrote:
> > > 
> > > Hi,
> > > 
> > > please, review the attached patch which adds --ssh-update to ipa-
> > > client-
> > > install.
> > > 
> > > Ticket:https://fedorahosted.org/freeipa/ticket/2655
> > Hello,
> > thank you for your patch.
> > Please attach a patch as a file next time.
> > 
> > I have doubts that this should be part of ipa-client-install, this
> > needs
> > a broader discussion.
> +1, I think it should be a separate command (ignore my earlier 
> suggestion from Trac to incorporate this into ipa-client-install, I
> was 
> young and stupid).
> 
> See client/ipa-certupdate and ipaclient/ipa_certupdate.py for an
> example 
> of how such a command should be implemented.
> 
> > 
> > 
> > Code comments inline:
> > > 
> > > 
> > > ---
> > > Martin
> > > 
> > > > 
> > > > From 4974a57f48a0cd48b83724297ae2af572bc530eb Mon Sep 17
> > > > 00:00:00 2001
> > > From: Martin Stefany 
> > > Date: Mon, 22 Feb 2016 20:58:13 +
> > > Subject: [PATCH] Add new parameter --ssh-update to ipa-client-
> > > install
> > > 
> > > Add a new parameter '--ssh-update' which can be used later after
> > > freeipa
> > > client is installed to update SSH hostkeys and SSHFP DNS records
> > > for
> > > host.
> > > 
> > > https://fedorahosted.org/freeipa/ticket/2655
> > > ---
> > >   ipa-client/ipa-install/ipa-client-install | 102
> > > +-
> > >   1 file changed, 99 insertions(+), 3 deletions(-)
> > > 
> > > diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-
> > > client/ipa-
> > > install/ipa-client-install
> > > index
> > > 789ff591591673744ee3b922e5c0181233ad553c..97adfb6b449fb441bddada89
> > > a3b151
> > > 33e398ca50 100755
> > > --- a/ipa-client/ipa-install/ipa-client-install
> > > +++ b/ipa-client/ipa-install/ipa-client-install
> > > @@ -71,6 +71,7 @@ CLIENT_INSTALL_ERROR = 1
> > >   CLIENT_NOT_CONFIGURED = 2
> > >   CLIENT_ALREADY_CONFIGURED = 3
> > >   CLIENT_UNINSTALL_ERROR = 4 # error after restoring files/state
> > > +CLIENT_SSHUPDATE_ERROR = 5 # error during update of SSH public
> > > keys
> > > 
> > >   def parse_options():
> > >   def validate_ca_cert_file_option(option, opt, value,
> > > parser):
> > > @@ -215,6 +216,12 @@ def parse_options():
> > > "be run with --
> > > unattended
> > > option")
> > >   parser.add_option_group(uninstall_group)
> > > 
> > > +sshupdate_group = OptionGroup(parser, "SSH key update
> > > options")
> > > +sshupdate_group.add_option("--ssh-update", dest="ssh_update",
> > > +  action="store_true", default=False,
> > > +  help="update local host's SSH public keys
> > > in host
> > > entry and DNS.")
> > > +parser.add_option_group(sshupdate_group)
> > > +
> > >   options, args = parser.parse_args()
> > >   safe_opts = parser.get_safe_opts(options)
> > > 
> > > @@ -840,6 +847,92 @@ def uninstall(options, env):
> > > 
> > >   return rv
> > > 
> > > +def sshupdate(options, env):
> > > +if not is_ipa_client_installed():
> > > +root_logger.error("IPA client is not configured on this
> > > system.")
> > > +return CLIENT_NOT_CONFIGURED
> > > +
> > > +api.bootstrap(context='cli_installer', debug=options.debug)
> > > +api.finalize()
> > > +if 'config_loaded' not in api.env:
> > > +root_logger.error("Failed to initialize IPA API.")
> > > +return CLIENT_SSHUPDATE_ERROR
> > > +
> > > +# Now, let's try to connect to the server's RPC interface
> > > +connected = False
> > > +try:
> > > +api.Backend.rpcclient.connect()
> > > +connected = True
> > > +root_logger.debug("Try RPC connection")
> > > +api.Backend.rpcclient.forward('ping')
> > > +except errors.KerberosError as e:
> > > +if connected:
> > > +api.Backend.rpcclient.disconnect()
> > > +root_logger.info(
> > > +"Cannot connect to the server due to Kerberos error:
> > > %s. "
> > > +"Trying with delegate=True", e)
> > > +try:
> > > +

Re: [Freeipa-devel] URI in HBAC rules - patch - request for feedback

2016-02-28 Thread Jakub Hrozek 
On Fri, Feb 26, 2016 at 11:33:26AM -0500, Simo Sorce wrote:
> On Fri, 2016-02-26 at 17:17 +0100, Jakub Hrozek wrote:
> > On Fri, Feb 26, 2016 at 10:58:57AM -0500, Simo Sorce wrote:
> > > On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote:
> > > > Hi, FreeIPA and SSSD communities!
> > > > 
> > > > I am working on adding URI to HBAC as my thesis [1]. The goal is to
> > > > control access not only based on (user, host, service), but on (user,
> > > > host, service, resource's URI).
> > > > 
> > > > I created a patch for FreeIPA [2] so it is capable of storing URI as
> > > > part of HBAC rule. I created a patch for SSSD [3] so it is able to get
> > > > this URI from FreeIPA and use it in HBAC evaluation.
> > > > 
> > > > I still need to develop a part of SSSD receiving URI-aware requests. It
> > > > will either be an enhancement of Infopipe or I will use PAM responder
> > > > (any suggestions?).
> > > > 
> > > > I wanted to kindly ask you for review and your opinions on the patches
> > > > and generally on my approach. This would be my first contribution to
> > > > FreeIPA and SSSD so there might be bugs. What do you think?
> > > > 
> > > > Btw, is there some better place to share patches than a pasting tool?
> > > > Maybe some form of pull request?
> > > > 
> > > > Thanks for your opinions!
> > > > 
> > > > [1]
> > > > https://diplomky.redhat.com/topic/show/326/store-and-manage-access-to-uris-in-freeipa
> > > > [2]
> > > > http://pastebin.com/rsHzXeAR
> > > > [3]
> > > > http://pastebin.com/atcZMuP1
> > > > 
> > > 
> > > Hi Lukas, could please post your patches here using git-format-patch or
> > > even better provide a public git tree with them applied ?
> > > (Any place github, fedorapeople, your own server, etc. is fine)
> > > 
> > > 
> > > First a question, what service can actually use this scheme and how ?
> > > there is no URL field in PAM.
> > 
> > When Lukas started the work, we IIRC concluded that PAM is not an
> > appropriate interface and we should probably expose some DBUS methods
> > for access control. We haven't really discussed any details since then.
> 
> This only shifts the question, what service would use this interface ?
> note I am not opposed to it, but would like to understand how we are
> going to test that it actually works and is useful.

I thought it was going to be an Apache module, much like Jan's
mod_authnz_pam, so maybe something like mod_authnz_hbac.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code