[Freeipa-devel] [freeipa PR#387][opened] Update warning message for ipa server uninstall

[Akasurde]

   URL: https://github.com/freeipa/freeipa/pull/387
Author: Akasurde
 Title: #387: Update warning message for ipa server uninstall
Action: opened

PR body:
"""
Fix adds an additional recommendation message for taking backup
of existing data and configuration before proceeding to
ipa server uninstallation procedures.

Fixes https://fedorahosted.org/freeipa/ticket/6548

Signed-off-by: Abhijeet Kasurde 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/387/head:pr387
git checkout pr387
From e8b41123eeece180b9a072736e33694e74c46394 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Wed, 11 Jan 2017 11:15:48 +0530
Subject: [PATCH] Update warning message for ipa server uninstall

Fix adds an additional recommendation message for taking backup
of existing data and configuration before proceeding to
ipa server uninstallation procedures.

Fixes https://fedorahosted.org/freeipa/ticket/6548

Signed-off-by: Abhijeet Kasurde 
---
 ipaserver/install/server/install.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index fc319d9..b71a32f 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -975,7 +975,9 @@ def uninstall_check(installer):
 
 if installer.interactive:
 print("\nThis is a NON REVERSIBLE operation and will delete all data "
-  "and configuration!\n")
+  "and configuration!\nIt is highly recommended to take a backup of "
+  "existing data and configuration using ipa-backup utility "
+  "before proceeding.\n")
 if not user_input("Are you sure you want to continue with the "
   "uninstall procedure?", False):
 raise ScriptError("Aborting uninstall operation.")
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DESIGN] Dogtag GSS-API Authentication

[Fraser Tweedale]

On Tue, Jan 10, 2017 at 10:48:08AM +0100, Martin Babinsky wrote:
> Hi Fraser,
> 
> I have some rather inane comments. I guess Jan cholasta will do a more
> thorough review of your design. See below:
> 
> On 01/06/2017 09:08 AM, Fraser Tweedale wrote:
> > Hi comrades,
> > 
> > I have written up the high-level details of the FreeIPA->Dogtag
> > GSS-API authentication design.  The goal is improve security by
> > removing an egregious privilege separation violation: the RA Agent
> > cert.
> > 
> > There is a fair bit of work still to do on the Dogtag side but
> > things are shaping up there and it's time to work out the IPA
> > aspects.  The design is at:
> > 
> >   http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
> 
> first of all, you link a internal document from publicly available design
> page. you should prepare a publicly visible version of the Dogtag-side
> design and link that.
> 
Will do; thanks.

> It would also be nice to have a high-level graphical representation of the
> proposed CSR processing workflow. I think you can re-use the one that is in
> the Dogtag part, omit the Dogtag internals and add IPA-specific parts.
> 
I will definitely do this a bit later, once more details of IPA
design are established.

> > 
> > Right now, I need feedback about the Domain Level aspects: whether
> > it is the right approach, whether there are mechanisms to perform
> > update steps (specifically: LDAP updates and/or api calls) alongside
> > a DL bump, or if there aren't, how to deal with that (implement such
> > a mechanism, make admins do extra steps, ???).
> > 
> 
> Is the DL bump really necessary? Are you sure we really can not just update
> the profile configuration and let older Dogtag installation handle it
> gracefully? IIRC we have done some profile inclusion work in 4.2 development
> and on and never really bothered about older Dogtag understanding them.
> 
The problem is that the new profiles will refer to plugins (i.e.
classes) that do not exist in older versions of Dogtag.  Profile
config is replicated, so if we upgrade profile config with old
versions of Dogtag in the topology, it breaks them.

I considered a mechanism where multiple versions of a profile exist
in LDAP (i.e. multiple attribute values), and Dogtag picks the one
that's "right" for it.  (An example of how to do this might be
attribute tagging where tag indicates minimum version of Dogtag
containing components used in that profile version, and Dogag picks
the highest that it supports).  The advantage of such a mechanism is
that we could use it for any future scenario where we introduce new
profile components that we want to use in IPA.  The downside is that
it significantly complicates profile management (including for
administrators), and can result in the same profile having different
behaviour on different Dogtag instances, which could be confusing
and make it harder to diagnose issues.  Given the tradeoffs, I think
a DL bump is preferable.

> Anyway I guess we can call `certprofile-import' to load
> ExternalProcessConstraint-enabled profile upon setting domain level to 2, we
> just have to know where on the FS it is located.
> 
> > Of course, any other general or specific feedback is welcome.
> > 
> > Thanks,
> > Fraser
> > 
> 
> So if I understand correctly there will be no change in CA ACL management
> interface and only the code which evaluates them will be factored out into
> 'ipa-pki-validate-cert-request' command? Also, wouldn't it simpler if the CA
> ACL evaluation was delegated to a separate API command instead?
> ExternalProcessConstraint would then only ask IPA JSON api and process the
> response.
> 
There are no changes to CA ACL management interface as part of this
design, but there are proposals to extend/rework it in future, e.g.
#6424, #6425, #6426.

Having a separate command for CA ACL evaluation is a good idea, and
a clean refactoring target.  ExternalProcessConstraint is generic
with no knowledge of IPA API, but 'pki-pki-validate-cert-request'
can invoke the new API command.

Thanks for your feedback, Martin!

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] CSR autogeneration next steps

[Ben Lipton]

On 01/10/2017 01:58 AM, Jan Cholasta wrote:

On 19.12.2016 21:59, Ben Lipton wrote:


On 12/15/2016 11:11 PM, Ben Lipton wrote:


On 12/12/2016 03:52 AM, Jan Cholasta wrote:

On 5.12.2016 16:48, Ben Lipton wrote:

Hi Jan, thanks for the comments.


On 12/05/2016 04:25 AM, Jan Cholasta wrote:

Hi Ben,

On 3.11.2016 00:12, Ben Lipton wrote:

Hi everybody,

Soon I'm going to have to reduce the amount of time I spend on new
development work for the CSR autogeneration project, and I want to
leave
the project in as organized a state as possible. So, I'm taking
inventory of the work I've done in order to make sure that what's
ready
for review can get reviewed and the ideas that have been discussed
get
prototyped or at least recorded so they won't be forgotten.


Thanks, I have some questions and comments, see below.



Code that's ready for review (I will continue to put in as much
time as
needed to help get these ready for submission):

- Current PR: https://github.com/freeipa/freeipa/pull/10


How hard would it be to update the PR to use the "new" interface 
from

the design thread? By this I mean that currently there is a command
(cert_get_requestdata), which creates a CSR from profile id +
principal + helper, but in the design we discussed a command which
creates a CertificationRequestInfo from profile id + principal +
public key.

Internally it could use the OpenSSL helper, no need to implement the
full "new" design. With your build_requestinfo.c code below it looks
like it should be pretty straightforward.


This is probably doable with the cffi, but I'm concerned about
usability. A user can run the current command to get a (reusable)
script, and run the script to get a CSR. It works with keys in 
both PEM

files and NSS databases already. If we change to outputting a
CertificationRequestInfo, in order to make this usable on the command
line, we'll need:
- An additional tool to sign a CSR given a CertificationRequestInfo
(for
both types of key storage).
- A way to extract a SubjectPublicKeyInfo structure from a key within
the ipa command (like [1] but we need it for both types of key 
storage)

Since as far as I know there's no standard encoding for files
containing
only a CertificationRequestInfo or a SubjectPublicKeyInfo, we'll be
writing and distributing these ourselves. I think that's where 
most of

the extra work will come in.


For PEM files, this is easily doable using python-cryptography (to
extract SubjectPublicKeyInfo and sign CertificationRequestInfo) and
PyASN1 (to create a CSR from the CertificationRequestInfo and the
signature).


I didn't realize that python-cryptography knew about
SubjectPublicKeyInfo structures, but indeed this seems to be pretty
straightforward:

key = load_pem_private_key(key_bytes, None, default_backend())
pubkey_info = key.public_key().public_bytes(Encoding.DER,
PublicFormat.SubjectPublicKeyInfo)

Thanks for letting me know this functionality already existed.


I'm currently working on the step of signing the 
CertificationRequestInfo and creating a CSR from it. I think I have it 
working with pyasn1, but of course the "signature algorithm" for the CSR 
needs to be specified and implemented within the code since I'm not 
using a library that understands CSRs natively. The code I have 
currently always produces CSRs with the sha256WithRSAEncryption 
algorithm (DER-encode request info, SHA256, PKCS #1v1.5 padding, RSA 
encryption), and the OID for that algorithm is hardcoded in the output 
CSR. Is this ok or will we need more flexibility than that?


For NSS databases, this will be trickier and will require calling C
functions, as neither certutil nor python-nss provide a way to a)
address existing keys in the database by key ID b) get
SubjectPublicKeyInfo for a given key.


This can be worked around by:

1. Generating a key + temporary certificate:

n=$(head -c 40 /dev/urandom | base32)
certutil -S -n $n -s CN=$n -x -t ,,

2. Extracting the public key from the certificate:

certutil -L -n $n -a >temp.crt
(extract the public key using python-cryptography)

3. Deleting the temporary certificate:

certutil -D -n $n

4. Importing the newly issued certificate:

certutil -A -n $n -t ,, -a Oof, thanks, I'm not sure I would have been able to come up with that. 
Can you generate a key without a temporary certificate if you use the 
NSS API, or does their model require every key to belong to a cert?


As for encoding, the obvious choice is DER. It does not really matter
there is no standard file format, as we won't be transferring these
as files anyway.


Agreed. I just meant there aren't tools already because this isn't a
type of file one often needs to process.




Would it be ok to stick with the current design in this PR? I'd feel
much better if we could get the basic functionality into the repo and
then iterate on it rather than changing the plan at this point. I can
create a separate PR to change cert_get_requestdata to this new
interface and at 

[Freeipa-devel] [freeipa PR#386][opened] Tests: Add tree root domain role in legacy client tests

[gkaihorodova]

   URL: https://github.com/freeipa/freeipa/pull/386
Author: gkaihorodova
 Title: #386: Tests: Add tree root domain role in legacy client tests
Action: opened

PR body:
"""
Legacy client tests inherits test cases from trust tests, that have
role for tree root domain. That role was missing in legacy client tests.

https://fedorahosted.org/freeipa/ticket/6600
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/386/head:pr386
git checkout pr386
From 3653a5a7e2b625b23b50f6412e6b01bada5ba0f5 Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Tue, 10 Jan 2017 15:17:40 +0100
Subject: [PATCH] Tests: Add tree root domain role in legacy client tests

Legacy client tests inherits test cases from trust tests, that have
role for tree root domain. That role was missing in legacy client tests.

https://fedorahosted.org/freeipa/ticket/6600
---
 ipatests/test_integration/test_legacy_clients.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipatests/test_integration/test_legacy_clients.py b/ipatests/test_integration/test_legacy_clients.py
index 33958a2..8bd680a 100644
--- a/ipatests/test_integration/test_legacy_clients.py
+++ b/ipatests/test_integration/test_legacy_clients.py
@@ -385,14 +385,14 @@ class BaseTestLegacySSSDBefore19RedHat(object):
 
 advice_id = 'config-redhat-sssd-before-1-9'
 required_extra_roles = ['legacy_client_sssd_redhat']
-optional_extra_roles = ['ad_subdomain']
+optional_extra_roles = ['ad_subdomain', 'ad_treedomain']
 
 
 class BaseTestLegacyNssPamLdapdRedHat(object):
 
 advice_id = 'config-redhat-nss-pam-ldapd'
 required_extra_roles = ['legacy_client_nss_pam_ldapd_redhat']
-optional_extra_roles = ['ad_subdomain']
+optional_extra_roles = ['ad_subdomain', 'ad_treedomain']
 
 def clear_sssd_caches(self):
 tasks.clear_sssd_cache(self.master)
@@ -402,7 +402,7 @@ class BaseTestLegacyNssLdapRedHat(object):
 
 advice_id = 'config-redhat-nss-ldap'
 required_extra_roles = ['legacy_client_nss_ldap_redhat']
-optional_extra_roles = ['ad_subdomain']
+optional_extra_roles = ['ad_subdomain', 'ad_treedomain']
 
 def clear_sssd_caches(self):
 tasks.clear_sssd_cache(self.master)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#382][synchronized] [WIP] Py3 ipa-server-install fixes

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/382
Author: mbasti-rh
 Title: #382: [WIP] Py3 ipa-server-install fixes
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/382/head:pr382
git checkout pr382
From 0ba8877d4f0a6e96d4e338a88f8638d00ad980b1 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 11:53:59 +0100
Subject: [PATCH 01/10] py3: create_cert_db: write to file in a compatible way

Py3 expect bytes to be writed using os.write. Instead of that using
io module is more pythonic.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/httpinstance.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index bacd5fc..ded0553 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -19,6 +19,7 @@
 
 from __future__ import print_function
 
+import io
 import os
 import os.path
 import pwd
@@ -314,9 +315,8 @@ def create_cert_db(self):
 
 # Create the password file for this db
 password = ipautil.ipa_generate_password()
-f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
-os.write(f, password)
-os.close(f)
+with io.open(pwd_file, 'w') as f:
+f.write(password)
 
 ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"])
 

From f97b56d35539dbc091d20282e01b7a804c6f8732 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 10 Jan 2017 13:45:11 +0100
Subject: [PATCH 02/10] py3: service.py: replace mkstemp by NamedTemporaryFile

NamedTemporaryfile can be used in more pythonic way and file can be
opened in textual mode that is required with PY3

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipautil.py | 2 +-
 ipaserver/install/service.py | 9 +
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index e3e4611..34d10ef 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -852,7 +852,7 @@ def ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1,
 rnd = random.SystemRandom()
 
 todo_entropy = entropy_bits
-password = ''
+password = u''
 # Generate required character classes:
 # The order of generated characters is fixed to comply with check in
 # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c.
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 6451f92..c96cd8b 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -208,10 +208,11 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True,
 args += ["-H", ldap_uri]
 
 if dm_password:
-[pw_fd, pw_name] = tempfile.mkstemp()
-os.write(pw_fd, dm_password)
-os.close(pw_fd)
-auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as pw_file:
+pw_name = pw_file.name
+pw_file.write(dm_password)
+auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
 # Use GSSAPI auth when not using DM password or not being root
 elif os.getegid() != 0:
 auth_parms = ["-Y", "GSSAPI"]

From 381a6570f75a581d01e8ed57d701654ae36d388e Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 12:42:23 +0100
Subject: [PATCH 03/10] py3: open temporary ldif file in text mode

ldif parser uses file in text mode, so we have to open it in text mode
in py3

Also values passed to parser should be bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/dsinstance.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 89315b6..2721d88 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -582,14 +582,15 @@ def __update_dse_ldif(self):
 'dse.ldif'
 )
 
-with tempfile.NamedTemporaryFile(delete=False) as new_dse_ldif:
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as new_dse_ldif:
 temp_filename = new_dse_ldif.name
 with open(dse_filename, "r") as input_file:
 parser = installutils.ModifyLDIF(input_file, new_dse_ldif)
 parser.replace_value(
 'cn=config,cn=ldbm database,cn=plugins,cn=config',
 'nsslapd-db-locks',
-['5']
+[b'5']
 )
 if self.config_ldif:
 # parse modifications from ldif file supplied by the admin

From 

[Freeipa-devel] [freeipa PR#385][synchronized] Generate sha256 ssh pubkey fingerprints for hosts

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/385
Author: stlaz
 Title: #385: Generate sha256 ssh pubkey fingerprints for hosts
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/385/head:pr385
git checkout pr385
From 6744fc2410eefe48b5b685bde9bf70a5b3cc94be Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 12 Dec 2016 16:59:48 +0100
Subject: [PATCH] Generate sha256 ssh pubkey fingerprints for hosts

Replace md5 with sha256 for host ssh pubkey fingerprints

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/util.py   |  2 +-
 ipapython/ssh.py | 13 +++--
 ipatests/test_xmlrpc/test_host_plugin.py |  2 +-
 ipatests/test_xmlrpc/test_idviews_plugin.py  |  2 +-
 ipatests/test_xmlrpc/test_stageuser_plugin.py|  2 +-
 ipatests/test_xmlrpc/test_user_plugin.py |  2 +-
 ipatests/test_xmlrpc/tracker/stageuser_plugin.py |  2 +-
 7 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/ipalib/util.py b/ipalib/util.py
index 1c00cd7..81c0e9e 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -301,7 +301,7 @@ def convert_sshpubkey_post(entry_attrs):
 except (ValueError, UnicodeDecodeError):
 continue
 
-fp = pubkey.fingerprint_hex_md5()
+fp = pubkey.fingerprint_hex_sha256()
 comment = pubkey.comment()
 if comment:
 fp = u'%s %s' % (fp, comment)
diff --git a/ipapython/ssh.py b/ipapython/ssh.py
index c76cf51..57752ae 100644
--- a/ipapython/ssh.py
+++ b/ipapython/ssh.py
@@ -25,8 +25,8 @@
 import base64
 import re
 import struct
-from hashlib import md5, sha1
-from hashlib import sha256  #pylint: disable=E0611
+from hashlib import sha1
+from hashlib import sha256  # pylint: disable=E0611
 
 import six
 
@@ -190,10 +190,11 @@ def openssh(self):
 
 return out
 
-def fingerprint_hex_md5(self):
-fp = md5(self._key).hexdigest().upper()
-fp = u':'.join([fp[j:j+2] for j in range(0, len(fp), 2)])
-return fp
+def fingerprint_hex_sha256(self):
+# OpenSSH trims the trailing '=' of base64 sha256 FP representation
+# Using unicode argument converts the result to unicode object
+fp = base64.b64encode(sha256(self._key).digest()).rstrip(u'=')
+return 'SHA256:{fp}'.format(fp=fp)
 
 def _fingerprint_dns(self, fpfunc, fptype):
 if self._keytype == 'ssh-rsa':
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index b36c6b8..d4384e1 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -84,7 +84,7 @@
 ipv6_fromip_ptr_dn = DN(('idnsname', ipv6_fromip_ptr), revipv6zone_dn)
 
 sshpubkey = u'ssh-rsa B3NzaC1yc2EDAQABAAABAQDGAX3xAeLeaJggwTqMjxNwa6XHBUAikXPGMzEpVrlLDCZtv00djsFTBi38PkgxBJVkgRWMrcBsr/35lq7P6w8KGIwA8GI48Z0qBS2NBMJ2u9WQ2hjLN6GdMlo77O0uJY3251p12pCVIS/bHRSq8kHO2No8g7KA9fGGcagPfQH+ee3t7HUkpbQkFTmbPPN++r3V8oVUk5LxbryB3UIIVzNmcSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM019Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF0L public key test'
-sshpubkeyfp = u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B public key test (ssh-rsa)'
+sshpubkeyfp = u'SHA256:cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE public key test (ssh-rsa)'
 
 user1 = u'tuser1'
 user2 = u'tuser2'
diff --git a/ipatests/test_xmlrpc/test_idviews_plugin.py b/ipatests/test_xmlrpc/test_idviews_plugin.py
index b1bb5ab..35d31b3 100644
--- a/ipatests/test_xmlrpc/test_idviews_plugin.py
+++ b/ipatests/test_xmlrpc/test_idviews_plugin.py
@@ -66,7 +66,7 @@
   'cSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM01'
   '9Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF'
   '0L public key test')
-sshpubkeyfp = (u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B '
+sshpubkeyfp = (u'SHA256:cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE '
 'public key test (ssh-rsa)')
 
 
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
index 4a859e8..e61bf7a 100644
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
@@ -40,7 +40,7 @@
  'cSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM01'
  '9Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF'
  '0L public key test')
-sshpubkeyfp = (u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B '
+sshpubkeyfp = (u'SHA256:cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE '
'public key test (ssh-rsa)')
 
 options_def = OrderedDict([
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index 7508578..c09d793 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ 

[Freeipa-devel] [freeipa PR#383][comment] Remove duplicated step from DS install

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/383
Title: #383: Remove duplicated step from DS install

stlaz commented:
"""
The tests passed, ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/383#issuecomment-271622092
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#383][+ack] Remove duplicated step from DS install

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/383
Title: #383: Remove duplicated step from DS install

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#385][opened] Generate sha256 ssh pubkey fingerprints for hosts

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/385
Author: stlaz
 Title: #385: Generate sha256 ssh pubkey fingerprints for hosts
Action: opened

PR body:
"""
Replace md5 with sha256 for host ssh pubkey fingerprints. MD5 is disabled in 
FIPS mode, newer versions of OpenSSH print SHA256 public key fingeprint anyway.

https://fedorahosted.org/freeipa/ticket/5695
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/385/head:pr385
git checkout pr385
From 9863d201ca2bb116adfe57e4a83527d663389a57 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 12 Dec 2016 16:59:48 +0100
Subject: [PATCH] Generate sha256 ssh pubkey fingerprints for hosts

Replace md5 with sha256 for host ssh pubkey fingerprints

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/util.py   | 2 +-
 ipapython/ssh.py | 9 +
 ipatests/test_xmlrpc/test_host_plugin.py | 2 +-
 ipatests/test_xmlrpc/test_idviews_plugin.py  | 2 +-
 ipatests/test_xmlrpc/test_stageuser_plugin.py| 2 +-
 ipatests/test_xmlrpc/test_user_plugin.py | 2 +-
 ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 2 +-
 7 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/ipalib/util.py b/ipalib/util.py
index 1c00cd7..81c0e9e 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -301,7 +301,7 @@ def convert_sshpubkey_post(entry_attrs):
 except (ValueError, UnicodeDecodeError):
 continue
 
-fp = pubkey.fingerprint_hex_md5()
+fp = pubkey.fingerprint_hex_sha256()
 comment = pubkey.comment()
 if comment:
 fp = u'%s %s' % (fp, comment)
diff --git a/ipapython/ssh.py b/ipapython/ssh.py
index c76cf51..1e72dd5 100644
--- a/ipapython/ssh.py
+++ b/ipapython/ssh.py
@@ -190,10 +190,11 @@ def openssh(self):
 
 return out
 
-def fingerprint_hex_md5(self):
-fp = md5(self._key).hexdigest().upper()
-fp = u':'.join([fp[j:j+2] for j in range(0, len(fp), 2)])
-return fp
+def fingerprint_hex_sha256(self):
+# OpenSSH trims the trailing '=' of base64 sha256 FP representation
+# Using unicode argument converts the result to unicode object
+fp = base64.b64encode(sha256(self._key).digest()).rstrip(u'=')
+return 'SHA256:{fp}'.format(fp=fp)
 
 def _fingerprint_dns(self, fpfunc, fptype):
 if self._keytype == 'ssh-rsa':
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index b36c6b8..35a8401 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -84,7 +84,7 @@
 ipv6_fromip_ptr_dn = DN(('idnsname', ipv6_fromip_ptr), revipv6zone_dn)
 
 sshpubkey = u'ssh-rsa B3NzaC1yc2EDAQABAAABAQDGAX3xAeLeaJggwTqMjxNwa6XHBUAikXPGMzEpVrlLDCZtv00djsFTBi38PkgxBJVkgRWMrcBsr/35lq7P6w8KGIwA8GI48Z0qBS2NBMJ2u9WQ2hjLN6GdMlo77O0uJY3251p12pCVIS/bHRSq8kHO2No8g7KA9fGGcagPfQH+ee3t7HUkpbQkFTmbPPN++r3V8oVUk5LxbryB3UIIVzNmcSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM019Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF0L public key test'
-sshpubkeyfp = u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B public key test (ssh-rsa)'
+sshpubkeyfp = u'cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE public key test (ssh-rsa)'
 
 user1 = u'tuser1'
 user2 = u'tuser2'
diff --git a/ipatests/test_xmlrpc/test_idviews_plugin.py b/ipatests/test_xmlrpc/test_idviews_plugin.py
index b1bb5ab..13e8862 100644
--- a/ipatests/test_xmlrpc/test_idviews_plugin.py
+++ b/ipatests/test_xmlrpc/test_idviews_plugin.py
@@ -66,7 +66,7 @@
   'cSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM01'
   '9Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF'
   '0L public key test')
-sshpubkeyfp = (u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B '
+sshpubkeyfp = (u'cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE '
 'public key test (ssh-rsa)')
 
 
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
index 4a859e8..89ffc1a 100644
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
@@ -40,7 +40,7 @@
  'cSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM01'
  '9Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF'
  '0L public key test')
-sshpubkeyfp = (u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B '
+sshpubkeyfp = (u'cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE '
'public key test (ssh-rsa)')
 
 options_def = OrderedDict([
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index 7508578..8f1ff38 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -55,7 +55,7 @@
  

[Freeipa-devel] [freeipa PR#373][synchronized] ipaplatform: Add Debian platform module.

[tjaalton]

   URL: https://github.com/freeipa/freeipa/pull/373
Author: tjaalton
 Title: #373: ipaplatform: Add Debian platform module.
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/373/head:pr373
git checkout pr373
From 3bce58353c8247ad5b920225b01ce96de79f4b10 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Thu, 5 Jan 2017 12:41:08 +0200
Subject: [PATCH] ipaplatform: Add Debian platform module.

v2:
- use redhat_services.redhat_system_units.copy
- don't use wildcard imports
- add some empty lines to make pep8 happy

v3:
- make parse_ipa_version static

v4:
- make more methods static
---
 ipaplatform/base/tasks.py   |   3 +-
 ipaplatform/debian/__init__.py  |   7 ++
 ipaplatform/debian/constants.py |  25 +
 ipaplatform/debian/paths.py |  98 
 ipaplatform/debian/services.py  | 196 
 ipaplatform/debian/tasks.py |  51 +++
 ipaplatform/setup.py|   1 +
 7 files changed, 380 insertions(+), 1 deletion(-)
 create mode 100644 ipaplatform/debian/__init__.py
 create mode 100644 ipaplatform/debian/constants.py
 create mode 100644 ipaplatform/debian/paths.py
 create mode 100644 ipaplatform/debian/services.py
 create mode 100644 ipaplatform/debian/tasks.py

diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 702da6b..8cf6fde 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -227,7 +227,8 @@ def create_system_user(self, name, group, homedir, shell, uid=None, gid=None, co
 else:
 log.debug('user %s exists', name)
 
-def parse_ipa_version(self, version):
+@staticmethod
+def parse_ipa_version(version):
 """
 :param version: textual version
 :return: object implementing proper __cmp__ method for version compare
diff --git a/ipaplatform/debian/__init__.py b/ipaplatform/debian/__init__.py
new file mode 100644
index 000..6305270
--- /dev/null
+++ b/ipaplatform/debian/__init__.py
@@ -0,0 +1,7 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+"""
+This module contains Debian specific platform files.
+"""
diff --git a/ipaplatform/debian/constants.py b/ipaplatform/debian/constants.py
new file mode 100644
index 000..1edcb5a
--- /dev/null
+++ b/ipaplatform/debian/constants.py
@@ -0,0 +1,25 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+'''
+This Debian family platform module exports platform dependant constants.
+'''
+
+# Fallback to default path definitions
+from ipaplatform.base.constants import BaseConstantsNamespace
+
+
+class DebianConstantsNamespace(BaseConstantsNamespace):
+HTTPD_USER = "www-data"
+NAMED_USER = "bind"
+NAMED_GROUP = "bind"
+# ntpd init variable used for daemon options
+NTPD_OPTS_VAR = "NTPD_OPTS"
+# quote used for daemon options
+NTPD_OPTS_QUOTE = "\'"
+ODS_USER = "opendnssec"
+ODS_GROUP = "opendnssec"
+SECURE_NFS_VAR = "NEED_GSSD"
+
+constants = DebianConstantsNamespace()
diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
new file mode 100644
index 000..8bc6684
--- /dev/null
+++ b/ipaplatform/debian/paths.py
@@ -0,0 +1,98 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+"""
+This Debian base platform module exports default filesystem paths as common
+in Debian-based systems.
+"""
+
+# Fallback to default path definitions
+from ipaplatform.base.paths import BasePathNamespace
+import sysconfig
+
+MULTIARCH = sysconfig.get_config_var('MULTIARCH')
+
+class DebianPathNamespace(BasePathNamespace):
+BIN_HOSTNAMECTL = "/usr/bin/hostnamectl"
+AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf"
+ETC_HTTPD_DIR = "/etc/apache2"
+HTTPD_ALIAS_DIR = "/etc/apache2/nssdb"
+ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc"
+ALIAS_PWDFILE_TXT = "/etc/apache2/nssdb/pwdfile.txt"
+HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/"
+HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/apache2/conf-enabled/ipa-kdc-proxy.conf"
+HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-enabled/ipa-pki-proxy.conf"
+HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
+HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
+HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
+IPA_KEYTAB = "/etc/apache2/ipa.keytab"
+HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
+NAMED_CONF = "/etc/bind/named.conf"
+NAMED_VAR_DIR = "/var/cache/bind"
+NAMED_KEYTAB = "/etc/bind/named.keytab"
+NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones"
+NAMED_ROOT_KEY = "/etc/bind/bind.keys"
+NAMED_BINDKEYS_FILE = "/etc/bind/bind.keys"
+NAMED_MANAGED_KEYS_DIR = "/var/cache/bind/dynamic"
+OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf"
+ETC_DEBIAN_VERSION = "/etc/debian_version"
+IPA_P11_KIT = 

[Freeipa-devel] [freeipa PR#373][synchronized] ipaplatform: Add Debian platform module.

[tjaalton]

   URL: https://github.com/freeipa/freeipa/pull/373
Author: tjaalton
 Title: #373: ipaplatform: Add Debian platform module.
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/373/head:pr373
git checkout pr373
From 394f36acdd897dae25a5554c71cbdfc3d76cb4d0 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Thu, 5 Jan 2017 12:41:08 +0200
Subject: [PATCH] ipaplatform: Add Debian platform module.

v2:
- use redhat_services.redhat_system_units.copy
- don't use wildcard imports
- add some empty lines to make pep8 happy

v3:
- make parse_ipa_version static
---
 ipaplatform/base/tasks.py   |   3 +-
 ipaplatform/debian/__init__.py  |   7 ++
 ipaplatform/debian/constants.py |  25 ++
 ipaplatform/debian/paths.py |  98 +
 ipaplatform/debian/services.py  | 185 
 ipaplatform/debian/tasks.py |  46 ++
 ipaplatform/setup.py|   1 +
 7 files changed, 364 insertions(+), 1 deletion(-)
 create mode 100644 ipaplatform/debian/__init__.py
 create mode 100644 ipaplatform/debian/constants.py
 create mode 100644 ipaplatform/debian/paths.py
 create mode 100644 ipaplatform/debian/services.py
 create mode 100644 ipaplatform/debian/tasks.py

diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 702da6b..8cf6fde 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -227,7 +227,8 @@ def create_system_user(self, name, group, homedir, shell, uid=None, gid=None, co
 else:
 log.debug('user %s exists', name)
 
-def parse_ipa_version(self, version):
+@staticmethod
+def parse_ipa_version(version):
 """
 :param version: textual version
 :return: object implementing proper __cmp__ method for version compare
diff --git a/ipaplatform/debian/__init__.py b/ipaplatform/debian/__init__.py
new file mode 100644
index 000..6305270
--- /dev/null
+++ b/ipaplatform/debian/__init__.py
@@ -0,0 +1,7 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+"""
+This module contains Debian specific platform files.
+"""
diff --git a/ipaplatform/debian/constants.py b/ipaplatform/debian/constants.py
new file mode 100644
index 000..1edcb5a
--- /dev/null
+++ b/ipaplatform/debian/constants.py
@@ -0,0 +1,25 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+'''
+This Debian family platform module exports platform dependant constants.
+'''
+
+# Fallback to default path definitions
+from ipaplatform.base.constants import BaseConstantsNamespace
+
+
+class DebianConstantsNamespace(BaseConstantsNamespace):
+HTTPD_USER = "www-data"
+NAMED_USER = "bind"
+NAMED_GROUP = "bind"
+# ntpd init variable used for daemon options
+NTPD_OPTS_VAR = "NTPD_OPTS"
+# quote used for daemon options
+NTPD_OPTS_QUOTE = "\'"
+ODS_USER = "opendnssec"
+ODS_GROUP = "opendnssec"
+SECURE_NFS_VAR = "NEED_GSSD"
+
+constants = DebianConstantsNamespace()
diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
new file mode 100644
index 000..a3fa02f
--- /dev/null
+++ b/ipaplatform/debian/paths.py
@@ -0,0 +1,98 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+"""
+This Debian base platform module exports default filesystem paths as common
+in Debian-based systems.
+"""
+
+# Fallback to default path definitions
+from ipaplatform.base.paths import BasePathNamespace
+import sysconfig
+
+MULTIARCH = sysconfig.get_config_var('MULTIARCH')
+
+class DebianPathNamespace(BasePathNamespace):
+BIN_HOSTNAMECTL = "/usr/bin/hostnamectl"
+AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf"
+ETC_HTTPD_DIR = "/etc/apache2"
+HTTPD_ALIAS_DIR = "/etc/apache2/nssdb"
+ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc"
+ALIAS_PWDFILE_TXT = "/etc/apache2/nssdb/pwdfile.txt"
+HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/"
+HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/apache2/conf-enabled/ipa-kdc-proxy.conf"
+HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-enabled/ipa-pki-proxy.conf"
+HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
+HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
+HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
+IPA_KEYTAB = "/etc/apache2/ipa.keytab"
+HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
+NAMED_CONF = "/etc/bind/named.conf"
+NAMED_VAR_DIR = "/var/cache/bind"
+NAMED_KEYTAB = "/etc/bind/named.keytab"
+NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones"
+NAMED_ROOT_KEY = "/etc/bind/bind.keys"
+NAMED_BINDKEYS_FILE = "/etc/bind/bind.keys"
+NAMED_MANAGED_KEYS_DIR = "/var/cache/bind/dynamic"
+OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf"
+ETC_DEBIAN_VERSION = "/etc/debian_version"
+IPA_P11_KIT = "/usr/local/share/ca-certificates/ipa-ca.crt"
+  

[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/367
Author: stlaz
 Title: #367: Remove nsslib from IPA
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/367/head:pr367
git checkout pr367
From 72343881600556e394923489643029781474bd93 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 20 Dec 2016 10:05:36 +0100
Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module

NSSConnection was causing a lot of trouble in the past and there is
a lot of logic around it just to make it not fail. What's more,
when using NSS to create an SSL connection in FIPS mode, NSS
always requires database password which makes the `ipa` command
totally unusable.

NSSConnection is therefore replaced with Python's
httplib.HTTPSConnection which is OpenSSL based.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py|  3 ++
 ipalib/constants.py |  1 +
 ipalib/rpc.py   | 69 --
 ipalib/util.py  | 95 +
 4 files changed, 113 insertions(+), 55 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..8ecada6 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -493,6 +493,9 @@ def _bootstrap(self, **overrides):
 if 'nss_dir' not in self:
 self.nss_dir = self._join('confdir', 'nssdb')
 
+if 'ca_certfile' not in self:
+self.ca_certfile = self._join('confdir', 'ca.crt')
+
 # Set plugins_on_demand:
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 81643da..4f40545 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -226,6 +226,7 @@
 ('conf_default', object),  # File containing context independent config
 ('plugins_on_demand', object),  # Whether to finalize plugins on-demand (bool)
 ('nss_dir', object),  # Path to nssdb, default {confdir}/nssdb
+('ca_certfile', object),  # Path to CA cert file
 
 # Set in Env._finalize_core():
 ('in_server', object),  # Whether or not running in-server (bool)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 921f5cb..66cd1c3 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -44,7 +44,7 @@
 import gssapi
 from dns import resolver, rdatatype
 from dns.exception import DNSException
-from nss.error import NSPRError
+from ssl import SSLError
 import six
 from six.moves import urllib
 
@@ -60,8 +60,7 @@
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
-import ipapython.nsslib
-from ipapython.nsslib import NSSConnection
+from ipalib.util import IPAHTTPSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
  KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
  KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
@@ -470,48 +469,21 @@ def get_host_info(self, host):
 
 return (host, extra_headers, x509)
 
+
 class SSLTransport(LanguageAwareTransport):
 """Handles an HTTPS transaction to an XML-RPC server."""
-
-def get_connection_dbdir(self):
-"""
-If there is a connections open it may have already initialized
-NSS database. Return the database location used by the connection.
-"""
-for value in context.__dict__.values():
-if not isinstance(value, Connection):
-continue
-if not isinstance(
-getattr(value.conn, '_ServerProxy__transport', None),
-SSLTransport):
-continue
-if hasattr(value.conn._ServerProxy__transport, 'dbdir'):
-return value.conn._ServerProxy__transport.dbdir
-return None
-
 def make_connection(self, host):
 host, self._extra_headers, _x509 = self.get_host_info(host)
 
 if self._connection and host == self._connection[0]:
 return self._connection[1]
 
-dbdir = context.nss_dir
-connection_dbdir = self.get_connection_dbdir()
+ca_certfile = context.ca_certfile
 
-if connection_dbdir:
-# If an existing connection is already using the same NSS
-# database there is no need to re-initialize.
-no_init = dbdir == connection_dbdir
-
-else:
-# If the NSS database is already being used there is no
-# need to re-initialize.
-no_init = dbdir == ipapython.nsslib.current_dbdir
-
-conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init,
- tls_version_min=api.env.tls_version_min,
- tls_version_max=api.env.tls_version_max)
-self.dbdir=dbdir
+conn = IPAHTTPSConnection(
+host, 443, 

[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA

stlaz commented:
"""
In the last update I added  SSLv2 support in IPAHTTPSConnection for backward 
compatibility (https://goo.gl/images/gqh2D9).
I also removed the Fedora crypto policies ciphers as we are not supporting that 
right now and if we did, we should do that on server as well. There would 
perhaps be a ticket required.
Also added a ticket to "Move RA agent certificate file export to a different 
location" as it fixes an issue with missing /etc/httpd/alias/kra-agent.pem as 
well.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/367#issuecomment-271560505
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/367
Author: stlaz
 Title: #367: Remove nsslib from IPA
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/367/head:pr367
git checkout pr367
From 6038830d9489cdfde4e7ac700a93c0fb2e99c7aa Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 20 Dec 2016 10:05:36 +0100
Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module

NSSConnection was causing a lot of trouble in the past and there is
a lot of logic around it just to make it not fail. What's more,
when using NSS to create an SSL connection in FIPS mode, NSS
always requires database password which makes the `ipa` command
totally unusable.

NSSConnection is therefore replaced with Python's
httplib.HTTPSConnection which is OpenSSL based.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py|  3 ++
 ipalib/constants.py |  1 +
 ipalib/rpc.py   | 69 --
 ipalib/util.py  | 95 +
 4 files changed, 113 insertions(+), 55 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..8ecada6 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -493,6 +493,9 @@ def _bootstrap(self, **overrides):
 if 'nss_dir' not in self:
 self.nss_dir = self._join('confdir', 'nssdb')
 
+if 'ca_certfile' not in self:
+self.ca_certfile = self._join('confdir', 'ca.crt')
+
 # Set plugins_on_demand:
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 81643da..4f40545 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -226,6 +226,7 @@
 ('conf_default', object),  # File containing context independent config
 ('plugins_on_demand', object),  # Whether to finalize plugins on-demand (bool)
 ('nss_dir', object),  # Path to nssdb, default {confdir}/nssdb
+('ca_certfile', object),  # Path to CA cert file
 
 # Set in Env._finalize_core():
 ('in_server', object),  # Whether or not running in-server (bool)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 921f5cb..66cd1c3 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -44,7 +44,7 @@
 import gssapi
 from dns import resolver, rdatatype
 from dns.exception import DNSException
-from nss.error import NSPRError
+from ssl import SSLError
 import six
 from six.moves import urllib
 
@@ -60,8 +60,7 @@
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
-import ipapython.nsslib
-from ipapython.nsslib import NSSConnection
+from ipalib.util import IPAHTTPSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
  KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
  KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
@@ -470,48 +469,21 @@ def get_host_info(self, host):
 
 return (host, extra_headers, x509)
 
+
 class SSLTransport(LanguageAwareTransport):
 """Handles an HTTPS transaction to an XML-RPC server."""
-
-def get_connection_dbdir(self):
-"""
-If there is a connections open it may have already initialized
-NSS database. Return the database location used by the connection.
-"""
-for value in context.__dict__.values():
-if not isinstance(value, Connection):
-continue
-if not isinstance(
-getattr(value.conn, '_ServerProxy__transport', None),
-SSLTransport):
-continue
-if hasattr(value.conn._ServerProxy__transport, 'dbdir'):
-return value.conn._ServerProxy__transport.dbdir
-return None
-
 def make_connection(self, host):
 host, self._extra_headers, _x509 = self.get_host_info(host)
 
 if self._connection and host == self._connection[0]:
 return self._connection[1]
 
-dbdir = context.nss_dir
-connection_dbdir = self.get_connection_dbdir()
+ca_certfile = context.ca_certfile
 
-if connection_dbdir:
-# If an existing connection is already using the same NSS
-# database there is no need to re-initialize.
-no_init = dbdir == connection_dbdir
-
-else:
-# If the NSS database is already being used there is no
-# need to re-initialize.
-no_init = dbdir == ipapython.nsslib.current_dbdir
-
-conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init,
- tls_version_min=api.env.tls_version_min,
- tls_version_max=api.env.tls_version_max)
-self.dbdir=dbdir
+conn = IPAHTTPSConnection(
+host, 443, 

[Freeipa-devel] [freeipa PR#245][comment] Allow full customisability of IPA CA subject DN

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/245
Title: #245: Allow full customisability of IPA CA subject DN

HonzaCholasta commented:
"""
* `--subject-base` and `--ca-subject` are not validated in `ipa-ca-install`.
* Please squash "{ds,ca}instance: rename 'subject' to 'ca_subject'" into "Allow 
full customisability of IPA CA subject DN".
* Please use the correct ticket URL in "Add sanity checks for use of 
--ca-subject and --subject-base".
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/245#issuecomment-271536923
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#381][comment] disable hostname canonicalization by Kerberos library

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/381
Title: #381: disable hostname canonicalization by Kerberos library

tiran commented:
"""
One Travis job was failing, I restarted it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/381#issuecomment-271534967
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DESIGN] Dogtag GSS-API Authentication

[Martin Babinsky]

Hi Fraser,

I have some rather inane comments. I guess Jan cholasta will do a more 
thorough review of your design. See below:


On 01/06/2017 09:08 AM, Fraser Tweedale wrote:

Hi comrades,

I have written up the high-level details of the FreeIPA->Dogtag
GSS-API authentication design.  The goal is improve security by
removing an egregious privilege separation violation: the RA Agent
cert.

There is a fair bit of work still to do on the Dogtag side but
things are shaping up there and it's time to work out the IPA
aspects.  The design is at:

  http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication


first of all, you link a internal document from publicly available 
design page. you should prepare a publicly visible version of the 
Dogtag-side design and link that.


It would also be nice to have a high-level graphical representation of 
the proposed CSR processing workflow. I think you can re-use the one 
that is in the Dogtag part, omit the Dogtag internals and add 
IPA-specific parts.




Right now, I need feedback about the Domain Level aspects: whether
it is the right approach, whether there are mechanisms to perform
update steps (specifically: LDAP updates and/or api calls) alongside
a DL bump, or if there aren't, how to deal with that (implement such
a mechanism, make admins do extra steps, ???).



Is the DL bump really necessary? Are you sure we really can not just 
update the profile configuration and let older Dogtag installation 
handle it gracefully? IIRC we have done some profile inclusion work in 
4.2 development and on and never really bothered about older Dogtag 
understanding them.


Anyway I guess we can call `certprofile-import' to load 
ExternalProcessConstraint-enabled profile upon setting domain level to 
2, we just have to know where on the FS it is located.



Of course, any other general or specific feedback is welcome.

Thanks,
Fraser



So if I understand correctly there will be no change in CA ACL 
management interface and only the code which evaluates them will be 
factored out into 'ipa-pki-validate-cert-request' command? Also, 
wouldn't it simpler if the CA ACL evaluation was delegated to a separate 
API command instead? ExternalProcessConstraint would then only ask IPA 
JSON api and process the response.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code