[Freeipa-devel] [freeipa PR#404][comment] tests: Add LDAP URI to ldappasswd explicitly
URL: https://github.com/freeipa/freeipa/pull/404 Title: #404: tests: Add LDAP URI to ldappasswd explicitly dkupka commented: """ @tiran Nice catch, I've added it to ipaserver/install/service.py, too. but I would rather not extend this outside of tests. """ See the full comment at https://github.com/freeipa/freeipa/pull/404#issuecomment-275153569 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ With this last rebase I can install again both ca and ca-less without issues. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-275168299 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#404][comment] tests: Add LDAP URI to ldappasswd explicitly
URL: https://github.com/freeipa/freeipa/pull/404 Title: #404: tests: Add LDAP URI to ldappasswd explicitly dkupka commented: """ @tiran Nice catch, I've added it to ipaserver/install/service.py, too. but I would rather not extend this outside of tests. """ See the full comment at https://github.com/freeipa/freeipa/pull/404#issuecomment-275153569 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#404][synchronized] tests: Add LDAP URI to ldappasswd explicitly
URL: https://github.com/freeipa/freeipa/pull/404 Author: dkupka Title: #404: tests: Add LDAP URI to ldappasswd explicitly Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/404/head:pr404 git checkout pr404 From d530c8ba1c86dc7e33fad04ad20c03617dd2fce9 Mon Sep 17 00:00:00 2001 From: David KupkaDate: Thu, 19 Jan 2017 09:18:32 +0100 Subject: [PATCH] tests: Add LDAP URI to ldappasswd explicitelly Test should always respect api.env.* values. https://fedorahosted.org/freeipa/ticket/6622 --- ipatests/test_integration/util.py | 3 ++- ipatests/util.py | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ipatests/test_integration/util.py b/ipatests/test_integration/util.py index 179f672..181e675 100644 --- a/ipatests/test_integration/util.py +++ b/ipatests/test_integration/util.py @@ -21,6 +21,7 @@ import re from ipaplatform.paths import paths +from ipalib import api from ipalib.constants import DEFAULT_CONFIG def run_repeatedly(host, command, assert_zero_rc=True, test=None, @@ -86,5 +87,5 @@ def ldappasswd_user_change(user, oldpw, newpw, master): userdn = "uid={},{},{}".format(user, container_user, basedn) args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw, -'-s', newpw, '-x'] +'-s', newpw, '-x', '-H', api.env.ldap_uri] master.run_command(args) diff --git a/ipatests/util.py b/ipatests/util.py index 9320383..2450f13 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -721,7 +721,7 @@ def unlock_principal_password(user, oldpw, newpw): user, api.env.container_user, api.env.basedn) args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw, -'-s', newpw, '-x'] +'-s', newpw, '-x', '-H', api.env.ldap_uri] return run(args) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#404][synchronized] tests: Add LDAP URI to ldappasswd explicitly
URL: https://github.com/freeipa/freeipa/pull/404 Author: dkupka Title: #404: tests: Add LDAP URI to ldappasswd explicitly Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/404/head:pr404 git checkout pr404 From ed601611bb132ce399548051257cb7185ad237e5 Mon Sep 17 00:00:00 2001 From: David KupkaDate: Thu, 19 Jan 2017 09:18:32 +0100 Subject: [PATCH] tests: Add LDAP URI to ldappasswd explicitelly Test should always respect api.env.* values. https://fedorahosted.org/freeipa/ticket/6622 --- ipatests/test_integration/util.py | 2 +- ipatests/util.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ipatests/test_integration/util.py b/ipatests/test_integration/util.py index 179f672..ea5c820 100644 --- a/ipatests/test_integration/util.py +++ b/ipatests/test_integration/util.py @@ -86,5 +86,5 @@ def ldappasswd_user_change(user, oldpw, newpw, master): userdn = "uid={},{},{}".format(user, container_user, basedn) args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw, -'-s', newpw, '-x'] +'-s', newpw, '-x', '-H', api.env.ldap_uri] master.run_command(args) diff --git a/ipatests/util.py b/ipatests/util.py index 9320383..2450f13 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -721,7 +721,7 @@ def unlock_principal_password(user, oldpw, newpw): user, api.env.container_user, api.env.basedn) args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw, -'-s', newpw, '-x'] +'-s', newpw, '-x', '-H', api.env.ldap_uri] return run(args) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test
URL: https://github.com/freeipa/freeipa/pull/399 Author: dkupka Title: #399: Certificate mapping test Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/399/head:pr399 git checkout pr399 From 29767acc613c28711db5383c5a3b266f69316188 Mon Sep 17 00:00:00 2001 From: David KupkaDate: Fri, 13 Jan 2017 13:17:35 +0100 Subject: [PATCH 1/3] test_xmlrpc: tracker: Add enable and disable methods to tracker Prepare tracker for easier testing of *-{en,dis}able commands. --- ipatests/test_xmlrpc/tracker/base.py | 26 ++ 1 file changed, 26 insertions(+) diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py index aa88e6b..d8cd3a6 100644 --- a/ipatests/test_xmlrpc/tracker/base.py +++ b/ipatests/test_xmlrpc/tracker/base.py @@ -198,6 +198,14 @@ def make_update_command(self, updates): """Make function that modifies the entry using ${CMD}_mod""" raise NotImplementedError(self._override_me_msg) +def make_enable_command(self): +"""Make function that enables the entry using ${CMD}_enable""" +raise NotImplementedError(self._override_me_msg) + +def make_disable_command(self): +"""Make function that disables the entry using ${CMD}_disable""" +raise NotImplementedError(self._override_me_msg) + def create(self): """Helper function to create an entry and check the result""" self.track_create() @@ -285,3 +293,21 @@ def update(self, updates, expected_updates=None): def check_update(self, result, extra_keys=()): """Check the plugin's `mod` command result""" raise NotImplementedError(self._override_me_msg) + +def enable(self): +command = self.make_enable_command() +result = command() +self.check_enable(result) + +def check_enable(self, result): +"""Check the plugin's `enable` command result""" +raise NotImplementedError(self._override_me_msg) + +def disable(self): +command = self.make_disable_command() +result = command() +self.check_disable(result) + +def check_disable(self, result): +"""Check the plugin's `disable` command result""" +raise NotImplementedError(self._override_me_msg) From 7cf43ea8033694b9c20625cb3015c2cb8755fef2 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Fri, 13 Jan 2017 13:22:45 +0100 Subject: [PATCH 2/3] test: certmap: Add basic tests for certmaprule commands. https://fedorahosted.org/freeipa/ticket/6542 --- ipatests/test_xmlrpc/objectclasses.py | 5 + ipatests/test_xmlrpc/test_certmap_plugin.py| 107 ipatests/test_xmlrpc/tracker/certmap_plugin.py | 167 + 3 files changed, 279 insertions(+) create mode 100644 ipatests/test_xmlrpc/test_certmap_plugin.py create mode 100644 ipatests/test_xmlrpc/tracker/certmap_plugin.py diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py index 1ea020b..0a15a21 100644 --- a/ipatests/test_xmlrpc/objectclasses.py +++ b/ipatests/test_xmlrpc/objectclasses.py @@ -227,3 +227,8 @@ u'top', u'ipaca', ] + +certmaprule = [ +u'top', +u'ipacertmaprule', +] diff --git a/ipatests/test_xmlrpc/test_certmap_plugin.py b/ipatests/test_xmlrpc/test_certmap_plugin.py new file mode 100644 index 000..9343f9a --- /dev/null +++ b/ipatests/test_xmlrpc/test_certmap_plugin.py @@ -0,0 +1,107 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +import itertools +import pytest + +from ipapython.dn import DN +from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test +from ipatests.test_xmlrpc.tracker.certmap_plugin import CertmapruleTracker + +certmaprule_create_params = { +u'cn': u'test_rule', +u'description': u'Certificate mapping and matching rule for test ' +u'purposes', +u'ipacertmapissuer': DN('CN=CA,O=EXAMPLE.ORG'), +u'ipacertmapmaprule': u'arbitrary free-form mapping rule defined and ' + u'consumed by SSSD', +u'ipacertmapmatchrule': u'arbitrary free-form matching rule defined ' +u'and consumed by SSSD', +u'associateddomain': u'example.org', +u'ipacertmappriority': u'1', +} + +certmaprule_update_params = { +u'description': u'Changed description', +u'ipacertmapissuer': DN('CN=Changed CA,O=OTHER.ORG'), +u'ipacertmapmaprule': u'changed arbitrary mapping rule', +u'ipacertmapmatchrule': u'changed arbitrary maching rule', +u'associateddomain': u'changed.example.org', +u'ipacertmappriority': u'5', +} + +certmaprule_optional_params = ( +'description', +'ipacertmapissuer', +'ipacertmapmaprule', +'ipacertmapmatchrule', +'ipaassociateddomain', +'ipacertmappriority', +) + +def
[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test
URL: https://github.com/freeipa/freeipa/pull/399 Author: dkupka Title: #399: Certificate mapping test Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/399/head:pr399 git checkout pr399 From cd72d4375c7a5b6d590b85cbe2ce0f049aa29d42 Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH 1/4] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 184 +++ VERSION.m4 | 4 +- install/share/73certmap.ldif | 17 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 9 + ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 174 +- ipaserver/plugins/certmap.py | 357 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 +++ 15 files changed, 843 insertions(+), 11 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..a87fec1 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example @@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S dn:
[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" tomaskrizek commented: """ **ACK** for z-stream with the patched PKI. Waiting for the PKI release and bump of `Requires` to ack and merge upstream. """ See the full comment at https://github.com/freeipa/freeipa/pull/395#issuecomment-275066963 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question
On 01/25/2017 12:46 PM, Tomas Krizek wrote: > On 01/13/2017 05:44 PM, Petr Vobornik wrote: >> On 01/13/2017 03:49 PM, Rob Crittenden wrote: >>> Tomas Krizek wrote: On 01/12/2017 04:17 PM, Rob Crittenden wrote: > Tomas Krizek wrote: >> On 12/19/2016 04:41 PM, Standa Laznicka wrote: >>> On 12/19/2016 03:07 PM, John Dennis wrote: On 12/19/2016 03:12 AM, Standa Laznicka wrote: > On 12/16/2016 03:23 PM, Rob Crittenden wrote: >> Standa Laznicka wrote: >>> Hello, >>> >>> I started a design page for FreeIPA on FIPS-enabled systems: >>> https://www.freeipa.org/page/V4/FreeIPA-on-FIPS >>> >>> Me and Tomáš are still investigating what of all things will need to >>> change in order to have FreeIPA on FIPS-enabled RHEL. So far I >>> managed >>> to install and run patched FreeIPA server and client and connect >>> them >>> together. >>> >>> There are some issues with NSS when trying to create an HTTPS >>> request >>> (apparently, NSS requires an NSS database password to set up an SSL >>> connection). I am actually thinking of removing NSSConnection from >>> the >>> client altogether. >> Can you expand on this a bit? NSS should only need a pin when it >> needs >> access to a private key. What connection(s) are you talking about, >> and >> what would you replace NSSConnection with? >> >> rob > Hello Rob, > > Thank you for this excellent question, in order to cut the email > short I > seem to have omitted quite a few information. > > One of the very first problems I had with FreeIPA with FIPS was that > NSS > was always asking for password/pin. I was discussing this with the NSS > guys on their IRC chat last week and it turns out that NSS tries to > create a private key every time you want to use it as a backend for an > SSL connection on FIPS. I still don't think this is quite right so I > may > open a bugzilla for that. I don't understand, I thought the case you were having problems with was the FreeIPA client, not the server. I assume when you use the term "backend" you mean server, and yes when NSS is in server mode it will access to keys. So isn't the problem NSS is not being initialized correctly so that it recognizes it is in client mode and not server mode? >>> What I meant was "a client backend for an SSL connection" - we're >>> using NSS implementation of SSL (via python-nss) for HTTPS connections >>> from client to server during which we're getting a CA cert from an NSS >>> database but this eventually leads to a password prompt. > Anyway, the guys suggested me that we could try to create the database > with an empty password and everything will work. I don't quite like > that, too, but it's at least something if you don't want the `ipa` > command to always bug you for password you have no way knowing if > you're > just a regular user. > > What I think would be a better way to go is to use > httplib.HTTPSConnection. We have the needed certificates in > /etc/ipa/ca.crt anyway so why not use them instead. We had a > discussion > with Honza this morning and it seems that with this approach we may > get > rid of the NSSConnection class altogether (although I still need to > check a few spots) and start the process of moving away from NSS which > was discussed some year ago in an internal mailing list (for some > reason). > > Will be happy to hear thoughts on this, > Standa I'm not a big fan of NSS, it has it's issues. As the author of the Python binding I'm quite aware of all the nasty behaviors NSS has and needs to be worked around. I wouldn't be sad to see it go but OpenSSL has it's own issues too. If you remove NSS you're also removing the option to support smart cards, HSM's etc. Perhaps before removing functionality it would be good to assess what the requirements are. >>> I'm sorry I generalized too much, the original topic was moving away >>> from python-nss (of which I am even more sorry as you're the author). >>> >> We could use some ideas on how to handle replica installations in FIPS. >> >> We might use some flag in LDAP to indicate that a topology is >> FIPS-enabled. It seems like a good idea to force all servers in >> FIPS-enabled topology to also be FIPS-enabled. At the start of replica >> installation, a check could be performed to verify the FIPS topology >> status is the same as the current system's FIPS
[Freeipa-devel] [freeipa PR#393][synchronized] [Py3] allow to run wsgi - part1
URL: https://github.com/freeipa/freeipa/pull/393 Author: MartinBasti Title: #393: [Py3] allow to run wsgi - part1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/393/head:pr393 git checkout pr393 From 7916e9756da15bbeb06256101b8316c5e8dc9f80 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Wed, 11 Jan 2017 16:54:25 +0100 Subject: [PATCH 01/15] py3: session.py decode server name to str This fix is temporal because Memcache will be removed soon, so it is more workaround than fix https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/session.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/session.py b/ipaserver/session.py index 85deb15..020dcc1 100644 --- a/ipaserver/session.py +++ b/ipaserver/session.py @@ -828,7 +828,7 @@ def get_server_statistics(self): result = {} stats = self.mc.get_stats() for server in stats: -match = self.mc_server_stat_name_re.search(server[0]) +match = self.mc_server_stat_name_re.search(server[0].decode()) if match: name = match.group(1) result[name] = server[1] From be4ab4f89262f33d71b4bf29937deef09e2527e8 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 11 Jan 2017 17:13:52 +0100 Subject: [PATCH 02/15] py3: rpcserver: decode input because json requires string json library parses string so input must be decoded https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/rpcserver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 1da4ec4..7f800ac 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -195,7 +195,7 @@ def read_input(environ): length = int(environ.get('CONTENT_LENGTH')) except (ValueError, TypeError): return -return environ['wsgi.input'].read(length) +return environ['wsgi.input'].read(length).decode('utf-8') def params_2_args_options(params): From 11c15490e6ee911d386b94282300a2435b60e822 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 11 Jan 2017 17:15:49 +0100 Subject: [PATCH 03/15] Py3: Fix undefined variable Variable 'e' has only local scope in except block in Py3 https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/rpcserver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 7f800ac..306d085 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -404,7 +404,7 @@ def wsgi_execute(self, environ): type(self).__name__, principal, name, - type(e).__name__) + type(error).__name__) version = options.get('version', VERSION_WITHOUT_CAPABILITIES) return self.marshal(result, error, _id, version) From 2a8cd79a2291300d26470af2cd27dd197271a632 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 11 Jan 2017 17:24:16 +0100 Subject: [PATCH 04/15] py3: session: fix r/w ccache data ccache contains binary data, so it should be read and write in binary mode https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/session.py | 11 +-- 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/ipaserver/session.py b/ipaserver/session.py index 020dcc1..0f3a9ad 100644 --- a/ipaserver/session.py +++ b/ipaserver/session.py @@ -21,6 +21,7 @@ import os import re import time +import io # pylint: disable=import-error from six.moves.urllib.parse import urlparse @@ -1228,9 +1229,8 @@ def load_ccache_data(ccache_name): scheme, name = krb5_parse_ccache(ccache_name) if scheme == 'FILE': root_logger.debug('reading ccache data from file "%s"', name) -src = open(name) -ccache_data = src.read() -src.close() +with io.open(name, "rb") as src: +ccache_data = src.read() return ccache_data else: raise ValueError('ccache scheme "%s" unsupported (%s)', scheme, ccache_name) @@ -1239,9 +1239,8 @@ def bind_ipa_ccache(ccache_data, scheme='FILE'): if scheme == 'FILE': name = _get_krbccache_pathname() root_logger.debug('storing ccache data into file "%s"', name) -dst = open(name, 'w') -dst.write(ccache_data) -dst.close() +with io.open(name, 'wb') as dst: +dst.write(ccache_data) else: raise ValueError('ccache scheme "%s" unsupported', scheme) From 36f849e2c876c6418db99d8cf72b54026d32a18f Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 12 Jan 2017 18:50:56 +0100 Subject: [PATCH 05/15] py3: WSGI executioners must return bytes in list WSGI prints TypeError into error log when IPA doesn't return bytes in list as result
[Freeipa-devel] [freeipa PR#413][synchronized] Complete stageuser API
URL: https://github.com/freeipa/freeipa/pull/413 Author: dkupka Title: #413: Complete stageuser API Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/413/head:pr413 git checkout pr413 From b9cbb263a2a97e5c2c04ca4e911d7cc1988ac483 Mon Sep 17 00:00:00 2001 From: David KupkaDate: Thu, 19 Jan 2017 09:18:32 +0100 Subject: [PATCH 1/8] tests: Add LDAP URI to ldappasswd explicitelly Test should always respect api.env.* values. https://fedorahosted.org/freeipa/ticket/6622 --- ipatests/util.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/util.py b/ipatests/util.py index 9320383..2450f13 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -721,7 +721,7 @@ def unlock_principal_password(user, oldpw, newpw): user, api.env.container_user, api.env.basedn) args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw, -'-s', newpw, '-x'] +'-s', newpw, '-x', '-H', api.env.ldap_uri] return run(args) From b7c90dfdabfc6229cbe6d33efe326bcca5873958 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Wed, 18 Jan 2017 13:24:29 +0100 Subject: [PATCH 2/8] stageuser: Add stageuser-{add,remove}-cert Move {add,remove}-cert implementation from user to baseuser and inherit {,stage}user-{add,remove}-cert from it. https://fedorahosted.org/freeipa/ticket/6623 --- API.txt| 24 ipaserver/plugins/baseuser.py | 36 +++- ipaserver/plugins/stageuser.py | 14 ++ ipaserver/plugins/user.py | 42 +- 4 files changed, 78 insertions(+), 38 deletions(-) diff --git a/API.txt b/API.txt index 543cec5..182daa8 100644 --- a/API.txt +++ b/API.txt @@ -4751,6 +4751,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: stageuser_add_cert/1 +args: 1,5,3 +arg: Str('uid', cli_name='login') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Bytes('usercertificate+', alwaysask=True, cli_name='certificate') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') command: stageuser_add_manager/1 args: 1,5,3 arg: Str('uid', cli_name='login') @@ -4882,6 +4893,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: stageuser_remove_cert/1 +args: 1,5,3 +arg: Str('uid', cli_name='login') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Bytes('usercertificate+', alwaysask=True, cli_name='certificate') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') command: stageuser_remove_manager/1 args: 1,5,3 arg: Str('uid', cli_name='login') @@ -6661,10 +6683,12 @@ default: sidgen_was_run/1 default: stageuser/1 default: stageuser_activate/1 default: stageuser_add/1 +default: stageuser_add_cert/1 default: stageuser_add_manager/1 default: stageuser_del/1 default: stageuser_find/1 default: stageuser_mod/1 +default: stageuser_remove_cert/1 default: stageuser_remove_manager/1 default: stageuser_show/1 default: sudocmd/1 diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index 85ad417..75cf7d8 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -26,7 +26,7 @@ from .baseldap import ( DN, LDAPObject, LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete, LDAPRetrieve, LDAPAddAttribute, LDAPRemoveAttribute, LDAPAddMember, -LDAPRemoveMember) +LDAPRemoveMember, LDAPAddAttributeViaOption, LDAPRemoveAttributeViaOption) from ipaserver.plugins.service import ( validate_certificate, validate_realm, normalize_principal) from ipalib.request import context @@ -694,3 +694,37 @@ class baseuser_remove_principal(LDAPRemoveAttribute): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): ensure_last_krbprincipalname(ldap, entry_attrs, *keys) return dn + + +class baseuser_add_cert(LDAPAddAttributeViaOption): +attribute = 'usercertificate' + +def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, + **options): +self.obj.convert_usercertificate_pre(entry_attrs) + +return dn + +def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +assert isinstance(dn, DN) + +self.obj.convert_usercertificate_post(entry_attrs, **options) + +return dn + + +class
[Freeipa-devel] [freeipa PR#347][+pushed] Improvements in {get|set}_directive functions
URL: https://github.com/freeipa/freeipa/pull/347 Title: #347: Improvements in {get|set}_directive functions Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#347][comment] Improvements in {get|set}_directive functions
URL: https://github.com/freeipa/freeipa/pull/347 Title: #347: Improvements in {get|set}_directive functions martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/e1ed8b5eff40331ba532d37f3fb08814d8a55b77 https://fedorahosted.org/freeipa/changeset/517d43e78b8d8ea0b796a6ff6a379236eaae21df https://fedorahosted.org/freeipa/changeset/2831b30e9a9de947481c058d8d32e174f951b1c0 https://fedorahosted.org/freeipa/changeset/86f4a93fb3aeb6742acab5abaa1c17b525ea4223 """ See the full comment at https://github.com/freeipa/freeipa/pull/347#issuecomment-275115080 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#347][closed] Improvements in {get|set}_directive functions
URL: https://github.com/freeipa/freeipa/pull/347 Author: martbab Title: #347: Improvements in {get|set}_directive functions Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/347/head:pr347 git checkout pr347 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#353][comment] [RFE] Pwdpolicy
URL: https://github.com/freeipa/freeipa/pull/353 Title: #353: [RFE] Pwdpolicy simo5 commented: """ I found two subtle bugs that cause the install failure, with the rebased patches install completes correctly for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/353#issuecomment-275106444 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Ok reproduced, it is not clar how to me yet, but at some point ca.crt get zeroed out and that's why the ldap command fails, investigating """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-275101642 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#353][synchronized] [RFE] Pwdpolicy
URL: https://github.com/freeipa/freeipa/pull/353 Author: simo5 Title: #353: [RFE] Pwdpolicy Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/353/head:pr353 git checkout pr353 From a7213592a0b643a63dbdc8bff5bae08f30448b7b Mon Sep 17 00:00:00 2001 From: Simo SorceDate: Fri, 16 Dec 2016 07:12:45 -0500 Subject: [PATCH 1/2] Add code to retrieve results from multiple bases Internally performs multiple seraches as needed based on the basedn strings passed in and whether the caller indicated that any result is ok or all results are needed. Signed-off-by: Simo Sorce --- daemons/ipa-kdb/ipa_kdb.h| 10 daemons/ipa-kdb/ipa_kdb_common.c | 103 +++ 2 files changed, 113 insertions(+) diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 1fdb409..e1f46c6 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -174,6 +174,16 @@ int ipadb_ldap_attr_has_value(LDAP *lcontext, LDAPMessage *le, int ipadb_ldap_deref_results(LDAP *lcontext, LDAPMessage *le, LDAPDerefRes **results); +struct ipadb_multires; +krb5_error_code ipadb_multires_init(LDAP *lcontext, struct ipadb_multires **r); +void ipadb_multires_free(struct ipadb_multires *r); +LDAPMessage *ipadb_multires_next_entry(struct ipadb_multires *r); +krb5_error_code ipadb_multibase_search(struct ipadb_context *ipactx, + char **basedns, int scope, + char *filter, char **attrs, + struct ipadb_multires **res, + bool any); + /* PRINCIPALS FUNCTIONS */ krb5_error_code ipadb_get_principal(krb5_context kcontext, krb5_const_principal search_for, diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c index 7438f35..5995efe 100644 --- a/daemons/ipa-kdb/ipa_kdb_common.c +++ b/daemons/ipa-kdb/ipa_kdb_common.c @@ -610,3 +610,106 @@ int ipadb_ldap_deref_results(LDAP *lcontext, LDAPMessage *le, ldap_controls_free(ctrls); return ret; } + +struct ipadb_multires { +LDAP *lcontext; +LDAPMessage **res; +LDAPMessage *next; +ssize_t cursor; +ssize_t count; +}; + +krb5_error_code ipadb_multires_init(LDAP *lcontext, struct ipadb_multires **r) +{ +*r = malloc(sizeof(struct ipadb_multires)); +if (!*r) return ENOMEM; +(*r)->lcontext = lcontext; +(*r)->res = NULL; +(*r)->next = NULL; +(*r)->cursor = -1; +(*r)->count = 0; + +return 0; +} + +void ipadb_multires_free(struct ipadb_multires *r) +{ +for (int i = 0; i < r->count; i++) { +ldap_msgfree(r->res[i]); +} +free(r); +} + +LDAPMessage *ipadb_multires_next_entry(struct ipadb_multires *r) +{ +if (r->count == 0) return NULL; + +if (r->next) { +r->next = ldap_next_entry(r->lcontext, r->next); +} +if (r->next == NULL) { +if (r->cursor >= r->count - 1) { +return NULL; +} +r->cursor++; +r->next = ldap_first_entry(r->lcontext, r->res[r->cursor]); +} + +return r->next; +} + +krb5_error_code ipadb_multibase_search(struct ipadb_context *ipactx, + char **basedns, int scope, + char *filter, char **attrs, + struct ipadb_multires **res, + bool any) +{ +int ret; + +ret = ipadb_multires_init(ipactx->lcontext, res); +if (ret != 0) return ret; + +ret = ipadb_check_connection(ipactx); +if (ret != 0) +return ipadb_simple_ldap_to_kerr(ret); + +for (int b = 0; basedns[b]; b++) { +LDAPMessage *r; +ret = ldap_search_ext_s(ipactx->lcontext, basedns[b], scope, +filter, attrs, 0, NULL, NULL, +_timeout, LDAP_NO_LIMIT, ); + +/* first test if we need to retry to connect */ +if (ret != 0 && +ipadb_need_retry(ipactx, ret)) { +ldap_msgfree(r); +ret = ldap_search_ext_s(ipactx->lcontext, basedns[b], scope, +filter, attrs, 0, NULL, NULL, +_timeout, LDAP_NO_LIMIT, ); +} + +if (ret != 0) break; + +if (ldap_count_entries(ipactx->lcontext, r) > 0) { +void *tmp = realloc((*res)->res, (((*res)->count + 1) * +sizeof(LDAPMessage *))); +if (tmp == NULL) { +ret = ENOMEM; +break; +} +(*res)->res = tmp; +(*res)->res[(*res)->count] = r; +(*res)->count++; + +if (any) break; +} +} + +if (ret != 0) { +
[Freeipa-devel] [freeipa PR#347][synchronized] Improvements in {get|set}_directive functions
URL: https://github.com/freeipa/freeipa/pull/347 Author: martbab Title: #347: Improvements in {get|set}_directive functions Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/347/head:pr347 git checkout pr347 From 245fbdca0a1cc4223e9fc204abc86710502a693c Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Fri, 16 Dec 2016 12:14:20 +0100 Subject: [PATCH 1/4] Fix the installutils.set_directive docstring Add missing parameter descriptions and fix incorrect indentation https://fedorahosted.org/freeipa/ticket/6460 --- ipaserver/install/installutils.py | 13 - 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 0d8a574..7f96eb2 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -388,11 +388,14 @@ def set_directive(filename, directive, value, quotes=True, separator=' ', This has only been tested with nss.conf - :param directive: directive name - :param value: value of the directive - :param quotes: whether to quote `value` in `quote_char`. If true, then -the `quote_char` are first escaped to avoid unparseable directives - :param quote_char: the character used for quoting `value` +:param filename: input filename +:param directive: directive name +:param value: value of the directive +:param quotes: whether to quote `value` in `quote_char`. If true, then +the `quote_char` are first escaped to avoid unparseable directives. +:param separator: character serving as separator between directive and +value +:param quote_char: the character used for quoting `value` """ def format_directive(directive, value, separator, quotes, quote_char): From 66284ffef287addaf85d8bd45ba1f30e72b5965b Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 16 Dec 2016 13:34:57 +0100 Subject: [PATCH 2/4] installutils: improve directive value parsing in `get_directive` `get_directive` value parsing was improved in order to bring its logic more in-line to changes in `set_directive`: a specified quoting character is now unquoted and stripped from the retrieved value. The function will now also error out when malformed directive is encountered. https://fedorahosted.org/freeipa/ticket/6460 --- ipaserver/install/installutils.py | 19 +-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 7f96eb2..4f93372 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -436,16 +436,31 @@ def format_directive(directive, value, separator, quotes, quote_char): fd.close() os.chown(filename, st.st_uid, st.st_gid) # reset perms + def get_directive(filename, directive, separator=' '): """ A rather inefficient way to get a configuration directive. + +:param filename: input filename +:param directive: directive name +:param separator: separator between directive and value +:param quote_char: the characters that are used in this particular config +file to quote values. This character will be stripped and unescaped +from the raw value. + +:returns: The (unquoted) value if the directive was found, None otherwise """ fd = open(filename, "r") for line in fd: if line.lstrip().startswith(directive): line = line.strip() -result = line.split(separator, 1)[1] -result = result.strip('"') + +(directive, sep, value) = line.partition(separator) +if not sep or not value: +raise ValueError("Malformed directive: {}".format(line)) + +result = value.strip().strip(quote_char) +result = ipautil.unescape_seq(quote_char, result)[0] result = result.strip(' ') fd.close() return result From 6b62a01843f9f01be1ae09e6880e384e50700f06 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 10 Jan 2017 17:15:33 +0100 Subject: [PATCH 3/4] Delegate directive value quoting/unquoting to separate functions Separate functions were added to installutils module to quote/unquote a string in arbitrary characters. `installutils.get/set_directive` functions will use them to enclose the directive values in double quotes/strip the double quotes from retrieved values to maintain the original behavior. These functions can be used also for custom quoting/unquoting of retrieved values when desired. https://fedorahosted.org/freeipa/ticket/6460 --- ipaserver/install/installutils.py | 70 --- 1 file changed, 43 insertions(+), 27 deletions(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index
[Freeipa-devel] [freeipa PR#347][comment] Improvements in {get|set}_directive functions
URL: https://github.com/freeipa/freeipa/pull/347 Title: #347: Improvements in {get|set}_directive functions martbab commented: """ Thank's, let's hope that all this code will be replaced by some proper configuration parsing mechanism in the future. """ See the full comment at https://github.com/freeipa/freeipa/pull/347#issuecomment-275099477 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#413][synchronized] Complete stageuser API
URL: https://github.com/freeipa/freeipa/pull/413 Author: dkupka Title: #413: Complete stageuser API Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/413/head:pr413 git checkout pr413 From b9cbb263a2a97e5c2c04ca4e911d7cc1988ac483 Mon Sep 17 00:00:00 2001 From: David KupkaDate: Thu, 19 Jan 2017 09:18:32 +0100 Subject: [PATCH 1/8] tests: Add LDAP URI to ldappasswd explicitelly Test should always respect api.env.* values. https://fedorahosted.org/freeipa/ticket/6622 --- ipatests/util.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/util.py b/ipatests/util.py index 9320383..2450f13 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -721,7 +721,7 @@ def unlock_principal_password(user, oldpw, newpw): user, api.env.container_user, api.env.basedn) args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw, -'-s', newpw, '-x'] +'-s', newpw, '-x', '-H', api.env.ldap_uri] return run(args) From edb52e84f3d1c59d7057855de50f795755ce9a44 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Wed, 18 Jan 2017 13:24:29 +0100 Subject: [PATCH 2/8] stageuser: Add stageuser-{add,remove}-cert Move {add,remove}-cert implementation from user to baseuser and inherit {,stage}user-{add,remove}-cert from it. https://fedorahosted.org/freeipa/ticket/6623 --- API.txt| 24 ipaserver/plugins/baseuser.py | 36 +++- ipaserver/plugins/stageuser.py | 14 ++ ipaserver/plugins/user.py | 38 -- 4 files changed, 77 insertions(+), 35 deletions(-) diff --git a/API.txt b/API.txt index 543cec5..182daa8 100644 --- a/API.txt +++ b/API.txt @@ -4751,6 +4751,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: stageuser_add_cert/1 +args: 1,5,3 +arg: Str('uid', cli_name='login') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Bytes('usercertificate+', alwaysask=True, cli_name='certificate') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') command: stageuser_add_manager/1 args: 1,5,3 arg: Str('uid', cli_name='login') @@ -4882,6 +4893,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: stageuser_remove_cert/1 +args: 1,5,3 +arg: Str('uid', cli_name='login') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Bytes('usercertificate+', alwaysask=True, cli_name='certificate') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') command: stageuser_remove_manager/1 args: 1,5,3 arg: Str('uid', cli_name='login') @@ -6661,10 +6683,12 @@ default: sidgen_was_run/1 default: stageuser/1 default: stageuser_activate/1 default: stageuser_add/1 +default: stageuser_add_cert/1 default: stageuser_add_manager/1 default: stageuser_del/1 default: stageuser_find/1 default: stageuser_mod/1 +default: stageuser_remove_cert/1 default: stageuser_remove_manager/1 default: stageuser_show/1 default: sudocmd/1 diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index 85ad417..75cf7d8 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -26,7 +26,7 @@ from .baseldap import ( DN, LDAPObject, LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete, LDAPRetrieve, LDAPAddAttribute, LDAPRemoveAttribute, LDAPAddMember, -LDAPRemoveMember) +LDAPRemoveMember, LDAPAddAttributeViaOption, LDAPRemoveAttributeViaOption) from ipaserver.plugins.service import ( validate_certificate, validate_realm, normalize_principal) from ipalib.request import context @@ -694,3 +694,37 @@ class baseuser_remove_principal(LDAPRemoveAttribute): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): ensure_last_krbprincipalname(ldap, entry_attrs, *keys) return dn + + +class baseuser_add_cert(LDAPAddAttributeViaOption): +attribute = 'usercertificate' + +def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, + **options): +self.obj.convert_usercertificate_pre(entry_attrs) + +return dn + +def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +assert isinstance(dn, DN) + +self.obj.convert_usercertificate_post(entry_attrs, **options) + +return dn + + +class
[Freeipa-devel] [freeipa PR#401][closed] [4.4] Wait until http principal entry is replicated to replica
URL: https://github.com/freeipa/freeipa/pull/401 Author: MartinBasti Title: #401: [4.4] Wait until http principal entry is replicated to replica Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/401/head:pr401 git checkout pr401 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#401][comment] [4.4] Wait until http principal entry is replicated to replica
URL: https://github.com/freeipa/freeipa/pull/401 Title: #401: [4.4] Wait until http principal entry is replicated to replica martbab commented: """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/3d0a0728766aed7245427b9eaf210e31fd40e440 https://fedorahosted.org/freeipa/changeset/5bddcdb47b40baeae7379e00e8d87297ed3f1cd4 https://fedorahosted.org/freeipa/changeset/74020d07dbf14202f696a0c8521829abc735d4c7 """ See the full comment at https://github.com/freeipa/freeipa/pull/401#issuecomment-275098857 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#401][+pushed] [4.4] Wait until http principal entry is replicated to replica
URL: https://github.com/freeipa/freeipa/pull/401 Title: #401: [4.4] Wait until http principal entry is replicated to replica Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#393][synchronized] [Py3] allow to run wsgi - part1
URL: https://github.com/freeipa/freeipa/pull/393 Author: MartinBasti Title: #393: [Py3] allow to run wsgi - part1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/393/head:pr393 git checkout pr393 From 7916e9756da15bbeb06256101b8316c5e8dc9f80 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Wed, 11 Jan 2017 16:54:25 +0100 Subject: [PATCH 01/15] py3: session.py decode server name to str This fix is temporal because Memcache will be removed soon, so it is more workaround than fix https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/session.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/session.py b/ipaserver/session.py index 85deb15..020dcc1 100644 --- a/ipaserver/session.py +++ b/ipaserver/session.py @@ -828,7 +828,7 @@ def get_server_statistics(self): result = {} stats = self.mc.get_stats() for server in stats: -match = self.mc_server_stat_name_re.search(server[0]) +match = self.mc_server_stat_name_re.search(server[0].decode()) if match: name = match.group(1) result[name] = server[1] From be4ab4f89262f33d71b4bf29937deef09e2527e8 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 11 Jan 2017 17:13:52 +0100 Subject: [PATCH 02/15] py3: rpcserver: decode input because json requires string json library parses string so input must be decoded https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/rpcserver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 1da4ec4..7f800ac 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -195,7 +195,7 @@ def read_input(environ): length = int(environ.get('CONTENT_LENGTH')) except (ValueError, TypeError): return -return environ['wsgi.input'].read(length) +return environ['wsgi.input'].read(length).decode('utf-8') def params_2_args_options(params): From 11c15490e6ee911d386b94282300a2435b60e822 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 11 Jan 2017 17:15:49 +0100 Subject: [PATCH 03/15] Py3: Fix undefined variable Variable 'e' has only local scope in except block in Py3 https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/rpcserver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 7f800ac..306d085 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -404,7 +404,7 @@ def wsgi_execute(self, environ): type(self).__name__, principal, name, - type(e).__name__) + type(error).__name__) version = options.get('version', VERSION_WITHOUT_CAPABILITIES) return self.marshal(result, error, _id, version) From 2a8cd79a2291300d26470af2cd27dd197271a632 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 11 Jan 2017 17:24:16 +0100 Subject: [PATCH 04/15] py3: session: fix r/w ccache data ccache contains binary data, so it should be read and write in binary mode https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/session.py | 11 +-- 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/ipaserver/session.py b/ipaserver/session.py index 020dcc1..0f3a9ad 100644 --- a/ipaserver/session.py +++ b/ipaserver/session.py @@ -21,6 +21,7 @@ import os import re import time +import io # pylint: disable=import-error from six.moves.urllib.parse import urlparse @@ -1228,9 +1229,8 @@ def load_ccache_data(ccache_name): scheme, name = krb5_parse_ccache(ccache_name) if scheme == 'FILE': root_logger.debug('reading ccache data from file "%s"', name) -src = open(name) -ccache_data = src.read() -src.close() +with io.open(name, "rb") as src: +ccache_data = src.read() return ccache_data else: raise ValueError('ccache scheme "%s" unsupported (%s)', scheme, ccache_name) @@ -1239,9 +1239,8 @@ def bind_ipa_ccache(ccache_data, scheme='FILE'): if scheme == 'FILE': name = _get_krbccache_pathname() root_logger.debug('storing ccache data into file "%s"', name) -dst = open(name, 'w') -dst.write(ccache_data) -dst.close() +with io.open(name, 'wb') as dst: +dst.write(ccache_data) else: raise ValueError('ccache scheme "%s" unsupported', scheme) From 36f849e2c876c6418db99d8cf72b54026d32a18f Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 12 Jan 2017 18:50:56 +0100 Subject: [PATCH 05/15] py3: WSGI executioners must return bytes in list WSGI prints TypeError into error log when IPA doesn't return bytes in list as result
[Freeipa-devel] [freeipa PR#413][opened] Complete stageuser API
URL: https://github.com/freeipa/freeipa/pull/413 Author: dkupka Title: #413: Complete stageuser API Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6623 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/413/head:pr413 git checkout pr413 From b9cbb263a2a97e5c2c04ca4e911d7cc1988ac483 Mon Sep 17 00:00:00 2001 From: David KupkaDate: Thu, 19 Jan 2017 09:18:32 +0100 Subject: [PATCH 1/8] tests: Add LDAP URI to ldappasswd explicitelly Test should always respect api.env.* values. https://fedorahosted.org/freeipa/ticket/6622 --- ipatests/util.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/util.py b/ipatests/util.py index 9320383..2450f13 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -721,7 +721,7 @@ def unlock_principal_password(user, oldpw, newpw): user, api.env.container_user, api.env.basedn) args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw, -'-s', newpw, '-x'] +'-s', newpw, '-x', '-H', api.env.ldap_uri] return run(args) From edb52e84f3d1c59d7057855de50f795755ce9a44 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Wed, 18 Jan 2017 13:24:29 +0100 Subject: [PATCH 2/8] stageuser: Add stageuser-{add,remove}-cert Move {add,remove}-cert implementation from user to baseuser and inherit {,stage}user-{add,remove}-cert from it. https://fedorahosted.org/freeipa/ticket/6623 --- API.txt| 24 ipaserver/plugins/baseuser.py | 36 +++- ipaserver/plugins/stageuser.py | 14 ++ ipaserver/plugins/user.py | 38 -- 4 files changed, 77 insertions(+), 35 deletions(-) diff --git a/API.txt b/API.txt index 543cec5..182daa8 100644 --- a/API.txt +++ b/API.txt @@ -4751,6 +4751,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: stageuser_add_cert/1 +args: 1,5,3 +arg: Str('uid', cli_name='login') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Bytes('usercertificate+', alwaysask=True, cli_name='certificate') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') command: stageuser_add_manager/1 args: 1,5,3 arg: Str('uid', cli_name='login') @@ -4882,6 +4893,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: stageuser_remove_cert/1 +args: 1,5,3 +arg: Str('uid', cli_name='login') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Bytes('usercertificate+', alwaysask=True, cli_name='certificate') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') command: stageuser_remove_manager/1 args: 1,5,3 arg: Str('uid', cli_name='login') @@ -6661,10 +6683,12 @@ default: sidgen_was_run/1 default: stageuser/1 default: stageuser_activate/1 default: stageuser_add/1 +default: stageuser_add_cert/1 default: stageuser_add_manager/1 default: stageuser_del/1 default: stageuser_find/1 default: stageuser_mod/1 +default: stageuser_remove_cert/1 default: stageuser_remove_manager/1 default: stageuser_show/1 default: sudocmd/1 diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index 85ad417..75cf7d8 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -26,7 +26,7 @@ from .baseldap import ( DN, LDAPObject, LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete, LDAPRetrieve, LDAPAddAttribute, LDAPRemoveAttribute, LDAPAddMember, -LDAPRemoveMember) +LDAPRemoveMember, LDAPAddAttributeViaOption, LDAPRemoveAttributeViaOption) from ipaserver.plugins.service import ( validate_certificate, validate_realm, normalize_principal) from ipalib.request import context @@ -694,3 +694,37 @@ class baseuser_remove_principal(LDAPRemoveAttribute): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): ensure_last_krbprincipalname(ldap, entry_attrs, *keys) return dn + + +class baseuser_add_cert(LDAPAddAttributeViaOption): +attribute = 'usercertificate' + +def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, + **options): +self.obj.convert_usercertificate_pre(entry_attrs) + +return dn + +def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +assert isinstance(dn, DN) + +self.obj.convert_usercertificate_post(entry_attrs,
Re: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question
On 01/13/2017 05:44 PM, Petr Vobornik wrote: > On 01/13/2017 03:49 PM, Rob Crittenden wrote: >> Tomas Krizek wrote: >>> On 01/12/2017 04:17 PM, Rob Crittenden wrote: Tomas Krizek wrote: > On 12/19/2016 04:41 PM, Standa Laznicka wrote: >> On 12/19/2016 03:07 PM, John Dennis wrote: >>> On 12/19/2016 03:12 AM, Standa Laznicka wrote: On 12/16/2016 03:23 PM, Rob Crittenden wrote: > Standa Laznicka wrote: >> Hello, >> >> I started a design page for FreeIPA on FIPS-enabled systems: >> https://www.freeipa.org/page/V4/FreeIPA-on-FIPS >> >> Me and Tomáš are still investigating what of all things will need to >> change in order to have FreeIPA on FIPS-enabled RHEL. So far I >> managed >> to install and run patched FreeIPA server and client and connect them >> together. >> >> There are some issues with NSS when trying to create an HTTPS request >> (apparently, NSS requires an NSS database password to set up an SSL >> connection). I am actually thinking of removing NSSConnection from >> the >> client altogether. > Can you expand on this a bit? NSS should only need a pin when it needs > access to a private key. What connection(s) are you talking about, and > what would you replace NSSConnection with? > > rob Hello Rob, Thank you for this excellent question, in order to cut the email short I seem to have omitted quite a few information. One of the very first problems I had with FreeIPA with FIPS was that NSS was always asking for password/pin. I was discussing this with the NSS guys on their IRC chat last week and it turns out that NSS tries to create a private key every time you want to use it as a backend for an SSL connection on FIPS. I still don't think this is quite right so I may open a bugzilla for that. >>> I don't understand, I thought the case you were having problems with >>> was the FreeIPA client, not the server. I assume when you use the >>> term "backend" you mean server, and yes when NSS is in server mode it >>> will access to keys. So isn't the problem NSS is not being >>> initialized correctly so that it recognizes it is in client mode and >>> not server mode? >>> >> What I meant was "a client backend for an SSL connection" - we're >> using NSS implementation of SSL (via python-nss) for HTTPS connections >> from client to server during which we're getting a CA cert from an NSS >> database but this eventually leads to a password prompt. Anyway, the guys suggested me that we could try to create the database with an empty password and everything will work. I don't quite like that, too, but it's at least something if you don't want the `ipa` command to always bug you for password you have no way knowing if you're just a regular user. What I think would be a better way to go is to use httplib.HTTPSConnection. We have the needed certificates in /etc/ipa/ca.crt anyway so why not use them instead. We had a discussion with Honza this morning and it seems that with this approach we may get rid of the NSSConnection class altogether (although I still need to check a few spots) and start the process of moving away from NSS which was discussed some year ago in an internal mailing list (for some reason). Will be happy to hear thoughts on this, Standa >>> I'm not a big fan of NSS, it has it's issues. As the author of the >>> Python binding I'm quite aware of all the nasty behaviors NSS has and >>> needs to be worked around. I wouldn't be sad to see it go but OpenSSL >>> has it's own issues too. If you remove NSS you're also removing the >>> option to support smart cards, HSM's etc. Perhaps before removing >>> functionality it would be good to assess what the requirements are. >>> >> I'm sorry I generalized too much, the original topic was moving away >> from python-nss (of which I am even more sorry as you're the author). >> > We could use some ideas on how to handle replica installations in FIPS. > > We might use some flag in LDAP to indicate that a topology is > FIPS-enabled. It seems like a good idea to force all servers in > FIPS-enabled topology to also be FIPS-enabled. At the start of replica > installation, a check could be performed to verify the FIPS topology > status is the same as the current system's FIPS status. However, this > proposal has a flaw. It is possible to simply install a FIPS-enabled > replica and then turn FIPS off. This would result in non-FIPS systems > being part of a FIPS-enabled
[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test
URL: https://github.com/freeipa/freeipa/pull/399 Author: dkupka Title: #399: Certificate mapping test Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/399/head:pr399 git checkout pr399 From bdd96f302520fd9cbef19d2b2716e8c29244750d Mon Sep 17 00:00:00 2001 From: David KupkaDate: Fri, 13 Jan 2017 13:17:35 +0100 Subject: [PATCH 1/3] test_xmlrpc: tracker: Add enable and disable methods to tracker Prepare tracker for easier testing of *-{en,dis}able commands. --- ipatests/test_xmlrpc/tracker/base.py | 26 ++ 1 file changed, 26 insertions(+) diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py index aa88e6b..d8cd3a6 100644 --- a/ipatests/test_xmlrpc/tracker/base.py +++ b/ipatests/test_xmlrpc/tracker/base.py @@ -198,6 +198,14 @@ def make_update_command(self, updates): """Make function that modifies the entry using ${CMD}_mod""" raise NotImplementedError(self._override_me_msg) +def make_enable_command(self): +"""Make function that enables the entry using ${CMD}_enable""" +raise NotImplementedError(self._override_me_msg) + +def make_disable_command(self): +"""Make function that disables the entry using ${CMD}_disable""" +raise NotImplementedError(self._override_me_msg) + def create(self): """Helper function to create an entry and check the result""" self.track_create() @@ -285,3 +293,21 @@ def update(self, updates, expected_updates=None): def check_update(self, result, extra_keys=()): """Check the plugin's `mod` command result""" raise NotImplementedError(self._override_me_msg) + +def enable(self): +command = self.make_enable_command() +result = command() +self.check_enable(result) + +def check_enable(self, result): +"""Check the plugin's `enable` command result""" +raise NotImplementedError(self._override_me_msg) + +def disable(self): +command = self.make_disable_command() +result = command() +self.check_disable(result) + +def check_disable(self, result): +"""Check the plugin's `disable` command result""" +raise NotImplementedError(self._override_me_msg) From b6ddcc0aaa69fcf6a17829af0385433550f3c363 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Fri, 13 Jan 2017 13:22:45 +0100 Subject: [PATCH 2/3] test: certmap: Add basic tests for certmaprule commands. https://fedorahosted.org/freeipa/ticket/6542 --- ipatests/test_xmlrpc/objectclasses.py | 5 + ipatests/test_xmlrpc/test_certmap_plugin.py| 107 ipatests/test_xmlrpc/tracker/certmap_plugin.py | 167 + 3 files changed, 279 insertions(+) create mode 100644 ipatests/test_xmlrpc/test_certmap_plugin.py create mode 100644 ipatests/test_xmlrpc/tracker/certmap_plugin.py diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py index 1ea020b..0a15a21 100644 --- a/ipatests/test_xmlrpc/objectclasses.py +++ b/ipatests/test_xmlrpc/objectclasses.py @@ -227,3 +227,8 @@ u'top', u'ipaca', ] + +certmaprule = [ +u'top', +u'ipacertmaprule', +] diff --git a/ipatests/test_xmlrpc/test_certmap_plugin.py b/ipatests/test_xmlrpc/test_certmap_plugin.py new file mode 100644 index 000..9343f9a --- /dev/null +++ b/ipatests/test_xmlrpc/test_certmap_plugin.py @@ -0,0 +1,107 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +import itertools +import pytest + +from ipapython.dn import DN +from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test +from ipatests.test_xmlrpc.tracker.certmap_plugin import CertmapruleTracker + +certmaprule_create_params = { +u'cn': u'test_rule', +u'description': u'Certificate mapping and matching rule for test ' +u'purposes', +u'ipacertmapissuer': DN('CN=CA,O=EXAMPLE.ORG'), +u'ipacertmapmaprule': u'arbitrary free-form mapping rule defined and ' + u'consumed by SSSD', +u'ipacertmapmatchrule': u'arbitrary free-form matching rule defined ' +u'and consumed by SSSD', +u'associateddomain': u'example.org', +u'ipacertmappriority': u'1', +} + +certmaprule_update_params = { +u'description': u'Changed description', +u'ipacertmapissuer': DN('CN=Changed CA,O=OTHER.ORG'), +u'ipacertmapmaprule': u'changed arbitrary mapping rule', +u'ipacertmapmatchrule': u'changed arbitrary maching rule', +u'associateddomain': u'changed.example.org', +u'ipacertmappriority': u'5', +} + +certmaprule_optional_params = ( +'description', +'ipacertmapissuer', +'ipacertmapmaprule', +'ipacertmapmatchrule', +'ipaassociateddomain', +'ipacertmappriority', +) + +def
[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" tomaskrizek commented: """ **ACK** for z-stream with the patched PKI. Waiting for the PKI release and bump of `Requires` to ack and merge upstream. """ See the full comment at https://github.com/freeipa/freeipa/pull/395#issuecomment-275066963 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" pvoborni commented: """ Yes, but in different patch please. PKI with the fix was not released yet. So it should not block review of this patch. We can leave the ticket open until it is bumped. """ See the full comment at https://github.com/freeipa/freeipa/pull/395#issuecomment-275065152 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" tomaskrizek commented: """ Since the bug is completely fixed on the PKI side, shouldn't we bump the `Requires` to require the fixed version of PKI? Installation in IPV6-only environment will not work without the updated PKI, since 127.0.0.1 was used as a default before [3a49b9b3738befc03914b0a96aad61f9650fb935](https://git.fedorahosted.org/cgit/pki.git/commit/?id=3a49b9b3738befc03914b0a96aad61f9650fb935). """ See the full comment at https://github.com/freeipa/freeipa/pull/395#issuecomment-275062210 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, it turns out the request fails not on the replica, but on the initial master, so it's actually `ipa-server-install` which is broken - if you install server from current master and replica from this PR it works fine. Steps to reproduce: ``` server# certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' | xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'" server# rm -rf /etc/ipa/ca.crt /etc/httpd/alias/kra-agent.pem /var/lib/ipa/radb server# ipa-server-install -n abc.idm.lab.eng.brq.redhat.com -r ABC.IDM.LAB.ENG.BRQ.REDHAT.COM -p blablabla -a blablabla -U ... replica# certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' | xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'" replica# rm -rf /etc/ipa/ca.crt /etc/httpd/alias/kra-agent.pem /var/lib/ipa/radb replica# ipa-replica-install -n abc.idm.lab.eng.brq.redhat.com --server vm-226.abc.idm.lab.eng.brq.redhat.com -P admin -p blablabla ``` Note that you won't actually be able to do the above, as the `ipa-server-install` step will fail with: ``` Restarting the KDC Please add records in this file to your DNS system: /tmp/ipa.system.records.xLK2pI.db Unable to set admin password Command '/usr/bin/ldappasswd -h vm-226.abc.idm.lab.eng.brq.redhat.com -ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmpKyxwZX -T /var/lib/ipa/tmpMY13CP uid=admin,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' returned non-zero exit status 1 Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Skip vm-226.abc.idm.lab.eng.brq.redhat.com: cannot verify if this is an IPA server Failed to verify that vm-226.abc.idm.lab.eng.brq.redhat.com is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR Configuration of client side components failed! ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information ``` This does not happen with current master. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-275044170 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code