date:20170307

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-07 Thread Martin Babinsky

On Wed, Mar 08, 2017 at 07:37:40AM +0100, Jan Cholasta wrote:
>On 7.3.2017 15:14, Simo Sorce wrote:
>> On Tue, 2017-03-07 at 09:38 +0100, Martin Babinsky wrote:
>> > On 03/06/2017 01:48 PM, Simo Sorce wrote:
>> > > On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote:
>> > > > On 03/02/2017 02:54 PM, Simo Sorce wrote:
>> > > > > On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote:
>> > > > > > In this case it would probably be a good idea to think about 
>> > > > > > "forward
>> > > > > > compatibility" and define a new AUX objectclass bringing in
>> > > > > > 'ipaDomainResolutionOrder' instead of extending two separate
>> > > > > > objectclasses. In this way we may the just extend whathever object 
>> > > > > > we
>> > > > > > desire to carry the override in an easy and clean way.
>> > > > > 
>> > > > > I agree.
>> > > > > Simo.
>> > > > > 
>> > > > 
>> > > > Now the most difficult question remains... How to name this 
>> > > > objectclass.
>> > > > I personally am out of ideas but will try my best to come up with
>> > > > something meaningful.
>> > > 
>> > > Try to describe what the option ultimately does with as few words as
>> > > possible.
>> > > 
>> > > Simo.
>> > > 
>> > > 
>> > 
>> > I was thinking about this and since we are performing name qualification
>> > (short-name -> fully-qualified name incl. domain/realm part), I would
>> > like to propose the following naming schema:
>> > 
>> > objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used
>> > for short name qualification data' SUP top AUXILIARY MAY
>> > (ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' )
>> > 
>> > attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC
>> > 'List of domains used to qualify user short name' EQUALITY
>> > caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
>> > X-ORIGIN 'IPA v4.5' )
>> > 
>> > Let me know if you are ok with this or am I overengineering the names?
>> > 
>> > I would like to solve this quickly so that I can finish the design and
>> > start implementation.
>> 
>> I was thinking that we can use acronyms here to make it less of a
>> mouthful and also more easily recognizable:
>> My idea is:
>> - ipaNameQualificationData -> ipaFQDNPolicies
>> - ipaNameQualificationDomainList -> ipaFQDNCheckOrder
>
>TBH I liked ipaDomainResolutionOrder the best, both
>ipaNameQualificationDomainList and ipaFQDNCheckOrder sound overengineered to
>me :-)
>
>If ipaDomainResolutionOrder is not good enough, we could draw some
>inspiration from resolv.conf and use e.g. ipaDomainSearchList.
>
>-- 
>Jan Cholasta

Sigh, naming stuff is always the hardest path.

As a compromise let's settle with the following:

  * objectclass: ipaNameResolutionData
  * attribute: ipaDomainSearchList

I will use these to update the design page. You can the objet during another
phase of review process.

-- 
Martin Babinsky

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-07 Thread Jan Cholasta


On 7.3.2017 15:14, Simo Sorce wrote:

On Tue, 2017-03-07 at 09:38 +0100, Martin Babinsky wrote:

On 03/06/2017 01:48 PM, Simo Sorce wrote:

On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote:

On 03/02/2017 02:54 PM, Simo Sorce wrote:

On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote:

In this case it would probably be a good idea to think about "forward
compatibility" and define a new AUX objectclass bringing in
'ipaDomainResolutionOrder' instead of extending two separate
objectclasses. In this way we may the just extend whathever object we
desire to carry the override in an easy and clean way.


I agree.
Simo.



Now the most difficult question remains... How to name this objectclass.
I personally am out of ideas but will try my best to come up with
something meaningful.


Try to describe what the option ultimately does with as few words as
possible.

Simo.




I was thinking about this and since we are performing name qualification
(short-name -> fully-qualified name incl. domain/realm part), I would
like to propose the following naming schema:

objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used
for short name qualification data' SUP top AUXILIARY MAY
(ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' )

attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC
'List of domains used to qualify user short name' EQUALITY
caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'IPA v4.5' )

Let me know if you are ok with this or am I overengineering the names?

I would like to solve this quickly so that I can finish the design and
start implementation.


I was thinking that we can use acronyms here to make it less of a
mouthful and also more easily recognizable:
My idea is:
- ipaNameQualificationData -> ipaFQDNPolicies
- ipaNameQualificationDomainList -> ipaFQDNCheckOrder


TBH I liked ipaDomainResolutionOrder the best, both 
ipaNameQualificationDomainList and ipaFQDNCheckOrder sound 
overengineered to me :-)


If ipaDomainResolutionOrder is not good enough, we could draw some 
inspiration from resolv.conf and use e.g. ipaDomainSearchList.


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] FreeIPA and wildcard certificates

2017-03-07 Thread Fraser Tweedale

On Wed, Feb 22, 2017 at 10:17:32AM +0100, Martin Kosek wrote:
> On 02/20/2017 06:03 AM, Fraser Tweedale wrote:
> > On Fri, Feb 10, 2017 at 11:48:39AM +0100, Martin Kosek wrote:
> >> On 02/10/2017 10:37 AM, Fraser Tweedale wrote:
> >>> On Fri, Feb 10, 2017 at 09:23:10AM +0100, Martin Kosek wrote:
>  On 02/09/2017 10:44 PM, Fraser Tweedale wrote:
> > On Thu, Feb 09, 2017 at 08:37:23AM +0100, Martin Kosek wrote:
> >> On 02/09/2017 02:12 AM, Fraser Tweedale wrote:
> >>> On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote:
>  On ke, 08 helmi 2017, Martin Kosek wrote:
> > Hi Fraser and the list,
> >
> > I recently was in a conversation about integrating OpenShift with 
> > FreeIPA. One
> > of the gaps was around generating a wildcard certificate by FreeIPA 
> > that will
> > be used in the default OpenShift router for applications that do 
> > not deploy own
> > certificates [1].
> >
> > Is there any way that FreeIPA can generate it? I was thinking that 
> > uploading
> > some custom certificate profile in FreeIPA may let us get such 
> > certificate...
> > Or is the the only way we can add it by adding a new RFE in 
> > FreeIPA, tracked in
> > [2]?
>  Yes, we need a new RFE. There are checks in IPA that prevent wildcard
>  certificates to be issued:
> 
>  - we ensure subject 'cn' of the certificate matches a Kerberos 
>  principal
>    specified in the request
> 
>  - we validate that host object exists in IPA when the Kerberos
>    principal is host/...
> 
>  We could lift off these two limitations for 'cn=*,$suffix' but there 
>  is
>  still a need to apply proper ACLs when issuing the cert -- e.g. some
>  object has to be used for performing access rights check. The 
>  wildcard
>  certificate does not need to be stored anywhere in the tree, but a
>  check still needs to be done.
> 
>  For example, for Kerberos PKINIT certificate which is issued to KDC 
>  we
>  don't store public certificate in LDAP either but we do two checks:
>  - a special KDC certificate profile is used to issue the cert
>  - a special hostname check is done so that only IPA masters are able 
>  to
>    request this certificate
> 
>  For the wildcard certificate I think we could have following:
>  - use a separate profile for the wildcard, associated with a sub-CA
>  - hardcode CN default in the profile to always be 'CN=*, 
>  O=$SUB_CA_SUBJECT' so that
>    actual certificate ignores requested CN.
>  - a special check to be done so that only wildcard-based subject
>    alternative names can be added to a wildcard certificate request
>  - all Kerberos principal / hostname checks are skipped.
>  - actual ACL check is done by CA ACL.
> 
> >>> Issuing wildcard certs is a deprecated practice[1].  I am not
> >>> dismissing the needs of OpenShift (or PaaS/IaaS solutions in
> >>> general) but I'd like to have a discussion with them about how
> >>> they're currently dealing with certs and whether a different
> >>> direction other than wildcard certs is feasible.  Martin, who should
> >>> I reach out to?  Feel free to copy them into this discussion.
> >>
> >> Right now, I am talking to a Solution Architect, i.e. someone who is 
> >> building
> >> GAed solutions, not developers. This is not something we would change
> >> short-term anyway, this is how current OpenShift v2 or v3 behaves, 
> >> despite the RFC.
> >>
> >> While I understand why having certificate *.lab.example.com and using 
> >> it for my
> >> lab machines is a bad idea and increases the attack vector, I do not 
> >> see it
> >> that way for OpenShift. There, applications get URL like
> >> ".myopenshift.test" and all is routed by one entity, the 
> >> OpenShift
> >> broker. So the key.cert is on one location, just serving different 
> >> names that
> >> are provisioned with OpenShift.
> >>
> >> I can understand that issuing a new certificate for every application
> >> provisioned by OpenShift and then renewing it complicates the design
> >> significantly. I am trying to be creative and see if current OpenShift 
> >> could
> >> leverage FreeIPA CA and issue the broker cert, with current profile
> >> capabilities or with small change.
> >>
> > I believe OpenShift supports per-application certificates (i.e. when
> > app developers/maintainers supply their own cert for a custom
> > domain).  So it might be possible in v2 or v3 to provision a cert
> > for every app.
> 
>  Right, it

[Freeipa-devel] [freeipa PR#549][opened] T6601 certmap match

2017-03-07 Thread pvomacka

   URL: https://github.com/freeipa/freeipa/pull/549
Author: pvomacka
 Title: #549: T6601 certmap match
Action: opened

PR body:
"""
WebUI: add support for certmap match command. 

PR contains also certmap rule patches from pullrequest #400 (I will rebase once 
#400 will be merged) because they are necessary. It also requires PRs #398 and 
#516.


https://pagure.io/freeipa/issue/6601
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/549/head:pr549
git checkout pr549
From 8bb768e9acfd4442deb579c43f0f90cf16dafb37 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Mon, 16 Jan 2017 13:59:16 +0100
Subject: [PATCH 1/8] WebUI: Add possibility to set field always writable

If field will have set attribute 'always_writable' to true, then
'no_update' flag will be ingored. Used in command user-{add,remove}-certmap
which needs to be writable in WebUI and also needs to be omitted from
user-mod command.

Part of: https://fedorahosted.org/freeipa/ticket/6601
---
 install/ui/src/freeipa/field.js  | 43 +++-
 install/ui/src/freeipa/widget.js | 35 ++--
 2 files changed, 52 insertions(+), 26 deletions(-)

diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
index d70a778..9f287dd 100644
--- a/install/ui/src/freeipa/field.js
+++ b/install/ui/src/freeipa/field.js
@@ -484,7 +484,16 @@ field.field = IPA.field = function(spec) {
 writable = false;
 }
 
-if (that.metadata.flags && array.indexOf(that.metadata.flags, 'no_update') > -1) {
+// In case that field has set always_writable attribute, then
+// 'no_update' flag is ignored in WebUI. It is done because of
+// commands like user-{add,remove}-certmap. They operate with user's
+// attribute, which cannot be changed using user-mod, but only
+// using command user-{add,remove}-certmap. Therefore it has set
+// 'no_update' flag, but we need to show 'Add', 'Remove' buttons in
+// WebUI.
+if (that.metadata.flags &&
+array.indexOf(that.metadata.flags, 'no_update') > -1 &&
+!that.always_writable) {
 writable = false;
 }
 }
@@ -1259,6 +1268,37 @@ field.certs_field = IPA.certs_field = function(spec) {
 return that;
 };
 
+
+/**
+ * Used along with custom_command_multivalued widget
+ *
+ * - by default has `w_if_no_aci` to workaround missing object class
+ * - by default has always_writable=true to workaround aci rights
+ *
+ * @class
+ * @alternateClassName IPA.custom_command_multivalued_field
+ * @extends IPA.field
+ */
+field.certmap_command_multivalued_field = function(spec) {
+
+spec = spec || {};
+spec.flags = spec.flags || ['w_if_no_aci'];
+
+var that = IPA.field(spec);
+
+/**
+ * Set field always writable in case that it is set to true
+ * @param Boolean always_writable
+ */
+that.always_writable = spec.always_writable === undefined ? true :
+spec.always_writable;
+
+return that;
+};
+
+
+IPA.custom_command_multivalued_field = field.custom_command_multivalued_field;
+
 /**
  * SSH Keys Adapter
  * @class
@@ -1652,6 +1692,7 @@ field.register = function() {
 f.register('checkbox', field.checkbox_field);
 f.register('checkboxes', field.field);
 f.register('combobox', field.field);
+f.register('certmap_multivalued', field.certmap_command_multivalued_field);
 f.register('datetime', field.datetime_field);
 f.register('enable', field.enable_field);
 f.register('entity_select', field.field);
diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 15f0126..b7028a9 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -1534,12 +1534,8 @@ IPA.custom_command_multivalued_widget = function(spec) {
  * Called on error of add command. Override point.
  */
 that.on_error_add = function(xhr, text_status, error_thrown) {
-that.adder_dialog.focus_first_element();
-
-if (error_thrown.message) {
-var msg = error_thrown.message;
-IPA.notify(msg, 'error');
-}
+that.adder_dialog.show();
+exp.focus_invalid(that.adder_dialog);
 };
 
 /**
@@ -1599,27 +1595,16 @@ IPA.custom_command_multivalued_widget = function(spec) {
 name: 'custom-add-dialog'
 };
 
-that.adder_dialog = IPA.dialog(spec);
-that.adder_dialog.create_button({
-name: 'add',
-label: '@i18n:buttons.add',
-click: function() {
-if (!that.adder_dialog.validate()) {
-exp.focus_invalid(that.adder_dialog);
-}
-else {
-that.add(that.adder_dialog);
-}
+spec.on_ok =

[Freeipa-devel] [freeipa PR#547][+pushed] Use GSS-SPNEGO if connecting locally

2017-03-07 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/547
Title: #547: Use GSS-SPNEGO if connecting locally

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#547][comment] Use GSS-SPNEGO if connecting locally

2017-03-07 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/547
Title: #547: Use GSS-SPNEGO if connecting locally

tomaskrizek commented:
"""
master:

* adf8aabf10a57383aa6216625921503b83575757 Use GSS-SPNEGO if connecting locally
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/547#issuecomment-284824403
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#547][closed] Use GSS-SPNEGO if connecting locally

2017-03-07 Thread tomaskrizek

   URL: https://github.com/freeipa/freeipa/pull/547
Author: simo5
 Title: #547: Use GSS-SPNEGO if connecting locally
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/547/head:pr547
git checkout pr547
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#536][comment] ipa systemd unit should define Wants=network instead of Requires=network

2017-03-07 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/536
Title: #536: ipa systemd unit should define Wants=network instead of 
Requires=network

tomaskrizek commented:
"""
master:

* f447489707812643ee918266f99ca1ac82a408af ipa systemd unit should define 
Wants=network instead of Requires=network
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/536#issuecomment-284823436
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#536][closed] ipa systemd unit should define Wants=network instead of Requires=network

2017-03-07 Thread tomaskrizek

   URL: https://github.com/freeipa/freeipa/pull/536
Author: flo-renaud
 Title: #536: ipa systemd unit should define Wants=network instead of 
Requires=network
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/536/head:pr536
git checkout pr536
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#536][+pushed] ipa systemd unit should define Wants=network instead of Requires=network

2017-03-07 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/536
Title: #536: ipa systemd unit should define Wants=network instead of 
Requires=network

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#533][comment] WebUI: Change structure of Identity submenu

2017-03-07 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/533
Title: #533: WebUI: Change structure of Identity submenu

tomaskrizek commented:
"""
master:

* 070bc48dd6c9bce32caa0f0f2de8d44b4e51 WebUI: Change structure of Identity 
submenu
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/533#issuecomment-284822725
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#533][closed] WebUI: Change structure of Identity submenu

2017-03-07 Thread tomaskrizek

   URL: https://github.com/freeipa/freeipa/pull/533
Author: pvomacka
 Title: #533: WebUI: Change structure of Identity submenu
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/533/head:pr533
git checkout pr533
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#533][+pushed] WebUI: Change structure of Identity submenu

2017-03-07 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/533
Title: #533: WebUI: Change structure of Identity submenu

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#519][closed] WebUI: add sizelimit:0 to cert-find

2017-03-07 Thread tomaskrizek

   URL: https://github.com/freeipa/freeipa/pull/519
Author: pvomacka
 Title: #519: WebUI: add sizelimit:0 to cert-find
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/519/head:pr519
git checkout pr519
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#519][comment] WebUI: add sizelimit:0 to cert-find

2017-03-07 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/519
Title: #519: WebUI: add sizelimit:0 to cert-find

tomaskrizek commented:
"""
master:

* aa8530b7af8f04a4ba868f73ea9f171911162638 WebUI: add sizelimit:0 to cert-find
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/519#issuecomment-284821038
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints

2017-03-07 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/504
Title: #504: Add SHA256 fingerprints

tomaskrizek commented:
"""
master:

* a06c71b1268850e485e89049ed3654f893edff0b Add SHA256 fingerprints for certs
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/504#issuecomment-284819750
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#529][comment] installer: update time estimates

2017-03-07 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/529
Title: #529: installer: update time estimates

tomaskrizek commented:
"""
@stlaz That estimate was a bit off :) Thanks for noticing!
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/529#issuecomment-284802644
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#529][synchronized] installer: update time estimates

2017-03-07 Thread tomaskrizek

   URL: https://github.com/freeipa/freeipa/pull/529
Author: tomaskrizek
 Title: #529: installer: update time estimates
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/529/head:pr529
git checkout pr529
From 3ee32517bf323ecc2edf8cbcd755613b96a84fe4 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 1 Mar 2017 17:35:56 +0100
Subject: [PATCH] installer: update time estimates

Time estimates have been updated to be more accurate. Only
tasks that are estimated to take longer than 10 seconds have
the estimate displayed.

https://pagure.io/freeipa/issue/6596
---
 ipaserver/install/cainstance.py  | 7 ++-
 ipaserver/install/dsinstance.py  | 6 +++---
 ipaserver/install/httpinstance.py| 2 +-
 ipaserver/install/krainstance.py | 7 ++-
 ipaserver/install/krbinstance.py | 4 ++--
 ipaserver/install/service.py | 4 ++--
 ipaserver/install/upgradeinstance.py | 3 ++-
 7 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 6e3f995..6ade7be 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -449,8 +449,13 @@ def configure_instance(self, host_name, dm_password, admin_password,
 self.step("configuring certmonger renewal for lightweight CAs",
   self.__add_lightweight_ca_tracking_requests)
 
+if ra_only:
+runtime = None
+else:
+runtime = 180
+
 try:
-self.start_creation(runtime=210)
+self.start_creation(runtime=runtime)
 finally:
 self.clean_pkispawn_files()
 
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index bf80ae0..6a4efcb 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -349,7 +349,7 @@ def create_instance(self, realm_name, fqdn, domain_name,
 
 self.__common_post_setup()
 
-self.start_creation(runtime=60)
+self.start_creation(runtime=30)
 
 def enable_ssl(self):
 self.steps = []
@@ -358,7 +358,7 @@ def enable_ssl(self):
 self.step("restarting directory server", self.__restart_instance)
 self.step("adding CA certificate entry", self.__upload_ca_cert)
 
-self.start_creation(runtime=10)
+self.start_creation()
 
 def create_replica(self, realm_name, master_fqdn, fqdn,
domain_name, dm_password,
@@ -411,7 +411,7 @@ def create_replica(self, realm_name, master_fqdn, fqdn,
 
 self.__common_post_setup()
 
-self.start_creation(runtime=60)
+self.start_creation(runtime=30)
 
 
 def __setup_replica(self):
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7979ca1..610c54a 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -185,7 +185,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
 self.step("configuring httpd to start on boot", self.__enable)
 self.step("enabling oddjobd", self.enable_and_start_oddjobd)
 
-self.start_creation(runtime=60)
+self.start_creation()
 
 def __start(self):
 self.backup_state("running", self.is_running())
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index d7ab6fd..0ff54c1 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -134,8 +134,13 @@ def configure_instance(self, realm_name, host_name, dm_password,
 
 self.step("enabling KRA instance", self.__enable_instance)
 
+if ra_only:
+runtime = None
+else:
+runtime = 120
+
 try:
-self.start_creation(runtime=126)
+self.start_creation(runtime=runtime)
 finally:
 self.clean_pkispawn_files()
 
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 44b3821..2a390ce 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -164,7 +164,7 @@ def create_instance(self, realm_name, host_name, domain_name, admin_password, ma
 self.step("installing X509 Certificate for PKINIT",
   self.setup_pkinit)
 
-self.start_creation(runtime=30)
+self.start_creation()
 
 self.kpasswd = KpasswdInstance()
 self.kpasswd.create_instance('KPASSWD', self.fqdn, self.suffix,
@@ -189,7 +189,7 @@ def create_replica(self, realm_name,
 
 self.__common_post_setup()
 
-self.start_creation(runtime=30)
+self.start_creation()
 
 self.kpasswd = KpasswdInstance()
 self.kpasswd.create_instance('KPASSWD', self.fqdn, self.suffix)
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 837880f..35ebd9d 100644
---

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-07 Thread Martin Basti



On 07.03.2017 15:41, Martin Babinsky wrote:
> On Tue, Mar 07, 2017 at 04:34:42PM +0200, Alexander Bokovoy wrote:
>> On ti, 07 maalis 2017, Simo Sorce wrote:
>>> On Tue, 2017-03-07 at 09:38 +0100, Martin Babinsky wrote:
 On 03/06/2017 01:48 PM, Simo Sorce wrote:
> On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote:
>> On 03/02/2017 02:54 PM, Simo Sorce wrote:
>>> On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote:
 In this case it would probably be a good idea to think about "forward
 compatibility" and define a new AUX objectclass bringing in
 'ipaDomainResolutionOrder' instead of extending two separate
 objectclasses. In this way we may the just extend whathever object we
 desire to carry the override in an easy and clean way.
>>> I agree.
>>> Simo.
>>>
>> Now the most difficult question remains... How to name this objectclass.
>> I personally am out of ideas but will try my best to come up with
>> something meaningful.
> Try to describe what the option ultimately does with as few words as
> possible.
>
> Simo.
>
>
 I was thinking about this and since we are performing name qualification
 (short-name -> fully-qualified name incl. domain/realm part), I would
 like to propose the following naming schema:

 objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used
 for short name qualification data' SUP top AUXILIARY MAY
 (ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' )

 attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC
 'List of domains used to qualify user short name' EQUALITY
 caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
 X-ORIGIN 'IPA v4.5' )

 Let me know if you are ok with this or am I overengineering the names?

 I would like to solve this quickly so that I can finish the design and
 start implementation.
>>> I was thinking that we can use acronyms here to make it less of a
>>> mouthful and also more easily recognizable:
>>> My idea is:
>>> - ipaNameQualificationData -> ipaFQDNPolicies
>>> - ipaNameQualificationDomainList -> ipaFQDNCheckOrder
>> Sounds good to me.
>> -- 
>> / Alexander Bokovoy
> I am not sure about the relation of this to any policy, but I guess that is
> just nitpicking.
>
> I will wait awhile for others to object and then update design.
>
I agree to not use "policy" in the name
Martin^2



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#400][comment] WebUI: Certificate Mapping

2017-03-07 Thread pvomacka

  URL: https://github.com/freeipa/freeipa/pull/400
Title: #400: WebUI: Certificate Mapping

pvomacka commented:
"""
@pvoborni Thanks for review. I removed the space :) 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/400#issuecomment-284796053
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#400][synchronized] WebUI: Certificate Mapping

2017-03-07 Thread pvomacka

   URL: https://github.com/freeipa/freeipa/pull/400
Author: pvomacka
 Title: #400: WebUI: Certificate Mapping
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/400/head:pr400
git checkout pr400
From 4ec6844bec472e6a54352e0694cf1655d1df5a71 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Mon, 16 Jan 2017 13:59:16 +0100
Subject: [PATCH 1/4] WebUI: Add possibility to set field always writable

If field will have set attribute 'always_writable' to true, then
'no_update' flag will be ingored. Used in command user-{add,remove}-certmap
which needs to be writable in WebUI and also needs to be omitted from
user-mod command.

Part of: https://fedorahosted.org/freeipa/ticket/6601
---
 install/ui/src/freeipa/field.js  | 43 +++-
 install/ui/src/freeipa/widget.js | 35 ++--
 2 files changed, 52 insertions(+), 26 deletions(-)

diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
index d70a778..9f287dd 100644
--- a/install/ui/src/freeipa/field.js
+++ b/install/ui/src/freeipa/field.js
@@ -484,7 +484,16 @@ field.field = IPA.field = function(spec) {
 writable = false;
 }
 
-if (that.metadata.flags && array.indexOf(that.metadata.flags, 'no_update') > -1) {
+// In case that field has set always_writable attribute, then
+// 'no_update' flag is ignored in WebUI. It is done because of
+// commands like user-{add,remove}-certmap. They operate with user's
+// attribute, which cannot be changed using user-mod, but only
+// using command user-{add,remove}-certmap. Therefore it has set
+// 'no_update' flag, but we need to show 'Add', 'Remove' buttons in
+// WebUI.
+if (that.metadata.flags &&
+array.indexOf(that.metadata.flags, 'no_update') > -1 &&
+!that.always_writable) {
 writable = false;
 }
 }
@@ -1259,6 +1268,37 @@ field.certs_field = IPA.certs_field = function(spec) {
 return that;
 };
 
+
+/**
+ * Used along with custom_command_multivalued widget
+ *
+ * - by default has `w_if_no_aci` to workaround missing object class
+ * - by default has always_writable=true to workaround aci rights
+ *
+ * @class
+ * @alternateClassName IPA.custom_command_multivalued_field
+ * @extends IPA.field
+ */
+field.certmap_command_multivalued_field = function(spec) {
+
+spec = spec || {};
+spec.flags = spec.flags || ['w_if_no_aci'];
+
+var that = IPA.field(spec);
+
+/**
+ * Set field always writable in case that it is set to true
+ * @param Boolean always_writable
+ */
+that.always_writable = spec.always_writable === undefined ? true :
+spec.always_writable;
+
+return that;
+};
+
+
+IPA.custom_command_multivalued_field = field.custom_command_multivalued_field;
+
 /**
  * SSH Keys Adapter
  * @class
@@ -1652,6 +1692,7 @@ field.register = function() {
 f.register('checkbox', field.checkbox_field);
 f.register('checkboxes', field.field);
 f.register('combobox', field.field);
+f.register('certmap_multivalued', field.certmap_command_multivalued_field);
 f.register('datetime', field.datetime_field);
 f.register('enable', field.enable_field);
 f.register('entity_select', field.field);
diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 15f0126..b7028a9 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -1534,12 +1534,8 @@ IPA.custom_command_multivalued_widget = function(spec) {
  * Called on error of add command. Override point.
  */
 that.on_error_add = function(xhr, text_status, error_thrown) {
-that.adder_dialog.focus_first_element();
-
-if (error_thrown.message) {
-var msg = error_thrown.message;
-IPA.notify(msg, 'error');
-}
+that.adder_dialog.show();
+exp.focus_invalid(that.adder_dialog);
 };
 
 /**
@@ -1599,27 +1595,16 @@ IPA.custom_command_multivalued_widget = function(spec) {
 name: 'custom-add-dialog'
 };
 
-that.adder_dialog = IPA.dialog(spec);
-that.adder_dialog.create_button({
-name: 'add',
-label: '@i18n:buttons.add',
-click: function() {
-if (!that.adder_dialog.validate()) {
-exp.focus_invalid(that.adder_dialog);
-}
-else {
-that.add(that.adder_dialog);
-}
+spec.on_ok = function() {
+if (!that.adder_dialog.validate()) {
+exp.focus_invalid(that.adder_dialog);
 }
-});
-
-that.adder_dialog.create_button({
-name: 'cancel',
-label: '@i18n:buttons.cancel',
-

[Freeipa-devel] [freeipa PR#548][opened] ipa-server-install: add --setup-kra option

2017-03-07 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/548
Author: MartinBasti
 Title: #548: ipa-server-install: add --setup-kra option
Action: opened

PR body:
"""

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/548/head:pr548
git checkout pr548
From fd7806ec416c9f23d3423d717af4c9ef4be0865a Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 2 Mar 2017 17:08:59 +0100
Subject: [PATCH 1/3] KRA: add --setup-kra to ipa-server-install

This patch allows to install KRA on first IPA server in one step using
ipa-server-install

This option improves containers installation where ipa-server can be
installed with KRA using one call without need to call docker exec.

Please note the the original `kra.install()` calls in
ipaserver/install/server/install.py were empty operations as it did
nothing, so it is safe to move them out from CA block

https://pagure.io/freeipa/issue/6731
---
 .test_runner_config.yaml |  3 +--
 ipaserver/install/server/__init__.py |  2 --
 ipaserver/install/server/install.py  | 13 +
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/.test_runner_config.yaml b/.test_runner_config.yaml
index e473d49..b7896c3 100644
--- a/.test_runner_config.yaml
+++ b/.test_runner_config.yaml
@@ -47,8 +47,7 @@ steps:
   - dnf install -y ${container_working_dir}/dist/rpms/*.rpm --best --allowerasing
   install_server:
   - ipa-server-install -U --domain ${server_domain} --realm ${server_realm} -p ${server_password}
--a ${server_password} --setup-dns --auto-forwarders
-  - ipa-kra-install -p ${server_password}
+-a ${server_password} --setup-dns --setup-kra --auto-forwarders
   lint:
   - PYTHON=/usr/bin/python2 make V=0 lint
   - PYTHON=/usr/bin/python3 make V=0 pylint
diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 65dfa21..ce74092 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -159,7 +159,6 @@ def domain_level(self, value):
 None,
 description="configure a dogtag KRA",
 )
-setup_kra = enroll_only(setup_kra)
 
 setup_dns = knob(
 None,
@@ -533,7 +532,6 @@ class ServerMasterInstall(ServerMasterInstallInterface):
 host_password = None
 keytab = None
 setup_ca = True
-setup_kra = False
 
 domain_name = knob(
 bases=ServerMasterInstallInterface.domain_name,
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 1e6aad9..1e67a16 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -367,9 +367,9 @@ def install_check(installer):
 if not setup_ca and options.subject_base:
 raise ScriptError(
 "--subject-base cannot be used with CA-less installation")
-
-# first instance of KRA must be installed by ipa-kra-install
-options.setup_kra = False
+if not setup_ca and options.setup_kra:
+raise ScriptError(
+"--setup-kra cannot be used with CA-less installation")
 
 print("==="
   "===")
@@ -384,6 +384,8 @@ def install_check(installer):
 print("  * Create and configure an instance of Directory Server")
 print("  * Create and configure a Kerberos Key Distribution Center (KDC)")
 print("  * Configure Apache (httpd)")
+if options.setup_kra:
+print("  * Configure KRA (dogtag) for secret management")
 if options.setup_dns:
 print("  * Configure DNS (bind)")
 if options.setup_adtrust:
@@ -598,6 +600,7 @@ def install_check(installer):
 
 if setup_ca:
 ca.install_check(False, None, options)
+if options.setup_kra:
 kra.install_check(api, None, options)
 
 if options.setup_dns:
@@ -802,7 +805,6 @@ def install(installer):
 
 if setup_ca:
 ca.install_step_1(False, None, options)
-kra.install(api, None, options)
 
 # The DS instance is created before the keytab, add the SSL cert we
 # generated
@@ -842,6 +844,9 @@ def install(installer):
 service.print_msg("Restarting the KDC")
 krb.restart()
 
+if options.setup_kra:
+kra.install(api, None, options)
+
 if options.setup_dns:
 dns.install(False, False, options)
 else:

From 29d3bdb3cc5b62837a41f681c3c70add69eb8bcb Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Mar 2017 17:44:17 +0100
Subject: [PATCH 2/3] tests: use --setup-kra in tests

This will allow to test --setup-kra option together with
ipa-server-install in install tests

Separate installation using ipa-kra-install is already covered.

https://pagure.io/freeipa/issue/6731
---
 ipatests/test_integration/tasks.py | 9 ++---
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index

[Freeipa-devel] [freeipa PR#533][+ack] WebUI: Change structure of Identity submenu

2017-03-07 Thread pvoborni

  URL: https://github.com/freeipa/freeipa/pull/533
Title: #533: WebUI: Change structure of Identity submenu

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#546][synchronized] Store session cookie in a ccache option

2017-03-07 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/546
Author: simo5
 Title: #546: Store session cookie in a ccache option
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/546/head:pr546
git checkout pr546
From 77ba575a4400e3e27eb8278e8d9161e8ae33d0d4 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 6 Mar 2017 18:47:56 -0500
Subject: [PATCH] Store session cookie in a ccache option

Instead of using the kernel keyring, store the session cookie within the
ccache. This way kdestroy will really wipe away all credentials.

Ticket: https://pagure.io/freeipa/issue/6661

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py|  30 ++-
 ipapython/session_storage.py | 193 +++
 2 files changed, 201 insertions(+), 22 deletions(-)
 create mode 100644 ipapython/session_storage.py

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 8d1bba5..cf7765c 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -56,7 +56,7 @@
 from ipalib.request import context, Connection
 from ipapython.ipa_log_manager import root_logger
 from ipapython import ipautil
-from ipapython import kernel_keyring
+from ipapython import session_storage
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
@@ -84,19 +84,11 @@
 unicode = str
 
 COOKIE_NAME = 'ipa_session'
-KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME
+CCACHE_COOKIE_KEY_NAME = 'X-IPA-Session-Cookie'
 
 errors_by_code = dict((e.errno, e) for e in public_errors)
 
 
-def client_session_keyring_keyname(principal):
-'''
-Return the key name used for storing the client session data for
-the given principal.
-'''
-
-return KEYRING_COOKIE_NAME % principal
-
 def update_persistent_client_session_data(principal, data):
 '''
 Given a principal create or update the session data for that
@@ -106,13 +98,11 @@ def update_persistent_client_session_data(principal, data):
 '''
 
 try:
-keyname = client_session_keyring_keyname(principal)
+s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME)
+s.store_data(principal, data)
 except Exception as e:
 raise ValueError(str(e))
 
-# kernel_keyring only raises ValueError (why??)
-kernel_keyring.update_key(keyname, data)
-
 def read_persistent_client_session_data(principal):
 '''
 Given a principal return the stored session data for that
@@ -122,13 +112,11 @@ def read_persistent_client_session_data(principal):
 '''
 
 try:
-keyname = client_session_keyring_keyname(principal)
+s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME)
+return s.get_data(principal)
 except Exception as e:
 raise ValueError(str(e))
 
-# kernel_keyring only raises ValueError (why??)
-return kernel_keyring.read_key(keyname)
-
 def delete_persistent_client_session_data(principal):
 '''
 Given a principal remove the session data for that
@@ -138,13 +126,11 @@ def delete_persistent_client_session_data(principal):
 '''
 
 try:
-keyname = client_session_keyring_keyname(principal)
+s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME)
+s.remove_data(principal)
 except Exception as e:
 raise ValueError(str(e))
 
-# kernel_keyring only raises ValueError (why??)
-kernel_keyring.del_key(keyname)
-
 def xml_wrap(value, version):
 """
 Wrap all ``str`` in ``xmlrpc.client.Binary``.
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
new file mode 100644
index 000..b997c80
--- /dev/null
+++ b/ipapython/session_storage.py
@@ -0,0 +1,193 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+import ctypes
+
+
+try:
+LIBKRB5 = ctypes.CDLL('libkrb5.so.3')
+except OSError as e:  # pragma: no cover
+raise ImportError(str(e))
+
+
+class _krb5_context(ctypes.Structure):  # noqa
+"""krb5/krb5.h struct _krb5_context"""
+_fields_ = []
+
+
+class _krb5_ccache(ctypes.Structure):  # noqa
+"""krb5/krb5.h struct _krb5_ccache"""
+_fields_ = []
+
+
+class _krb5_data(ctypes.Structure):  # noqa
+"""krb5/krb5.h struct _krb5_data"""
+_fields_ = [
+("magic", ctypes.c_int32),
+("length", ctypes.c_uint),
+("data", ctypes.c_char_p),
+]
+
+
+class krb5_principal_data(ctypes.Structure):  # noqa
+"""krb5/krb5.h struct krb5_principal_data"""
+_fields_ = []
+
+
+class KRB5Error(Exception):
+pass
+
+
+def krb5_errcheck(result, func, arguments):
+"""Error checker for krb5_error return value"""
+if result != 0:
+raise KRB5Error(result, func.__name__, arguments)
+
+
+krb5_principal = ctypes.POINTER(krb5_principal_data)
+krb5_context = ctypes.POINTER(_krb5_context)
+krb5_ccache = ctypes.POINTER(_krb5_ccache)
+krb5_data_p = ctypes.POINTER(_krb5_data)
+krb5_error =

[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card

2017-03-07 Thread dkupka

  URL: https://github.com/freeipa/freeipa/pull/516
Title: #516: IdM Server: list all Employees with matching Smart Card

dkupka commented:
"""
@flo-renaud That's right but we should probably stress this somehow because 
it's not intuitive. Also we're returning what SSSD would return on master but 
we have no idea what it will return on some other host.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/516#issuecomment-284776883
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#547][comment] Use GSS-SPNEGO if connecting locally

2017-03-07 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/547
Title: #547: Use GSS-SPNEGO if connecting locally

tomaskrizek commented:
"""
The patch works with both `cyrus-sasl-2.1.26-26.2.fc24` and 
`cyrus-sasl-2.1.26-29.fc26`.

Since the newer version is not a hard dependency, we can add it later on, as 
@simo5 suggested.

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/547#issuecomment-284776517
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#547][+ack] Use GSS-SPNEGO if connecting locally

2017-03-07 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/547
Title: #547: Use GSS-SPNEGO if connecting locally

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option

2017-03-07 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/546
Title: #546: Store session cookie in a ccache option

simo5 commented:
"""
I also renamed the module and the class, makes more sense to me this way around.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/546#issuecomment-284775755
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option

2017-03-07 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/546
Title: #546: Store session cookie in a ccache option

simo5 commented:
"""
Ok removed a bunch of code and made sure pylint passes.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/546#issuecomment-284775623
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#546][synchronized] Store session cookie in a ccache option

2017-03-07 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/546
Author: simo5
 Title: #546: Store session cookie in a ccache option
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/546/head:pr546
git checkout pr546
From 1a90c205283f9c061753ed1d8ab33a0e4f2ac06e Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 6 Mar 2017 18:47:56 -0500
Subject: [PATCH] Store session cookie in a ccache option

Instead of using the kernel keyring, store the session cookie within the
ccache. This way kdestroy will really wipe away all credentials.

Ticket: https://pagure.io/freeipa/issue/6661

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py|  30 ++-
 ipapython/session_storage.py | 186 +++
 2 files changed, 194 insertions(+), 22 deletions(-)
 create mode 100644 ipapython/session_storage.py

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 8d1bba5..cf7765c 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -56,7 +56,7 @@
 from ipalib.request import context, Connection
 from ipapython.ipa_log_manager import root_logger
 from ipapython import ipautil
-from ipapython import kernel_keyring
+from ipapython import session_storage
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
@@ -84,19 +84,11 @@
 unicode = str
 
 COOKIE_NAME = 'ipa_session'
-KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME
+CCACHE_COOKIE_KEY_NAME = 'X-IPA-Session-Cookie'
 
 errors_by_code = dict((e.errno, e) for e in public_errors)
 
 
-def client_session_keyring_keyname(principal):
-'''
-Return the key name used for storing the client session data for
-the given principal.
-'''
-
-return KEYRING_COOKIE_NAME % principal
-
 def update_persistent_client_session_data(principal, data):
 '''
 Given a principal create or update the session data for that
@@ -106,13 +98,11 @@ def update_persistent_client_session_data(principal, data):
 '''
 
 try:
-keyname = client_session_keyring_keyname(principal)
+s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME)
+s.store_data(principal, data)
 except Exception as e:
 raise ValueError(str(e))
 
-# kernel_keyring only raises ValueError (why??)
-kernel_keyring.update_key(keyname, data)
-
 def read_persistent_client_session_data(principal):
 '''
 Given a principal return the stored session data for that
@@ -122,13 +112,11 @@ def read_persistent_client_session_data(principal):
 '''
 
 try:
-keyname = client_session_keyring_keyname(principal)
+s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME)
+return s.get_data(principal)
 except Exception as e:
 raise ValueError(str(e))
 
-# kernel_keyring only raises ValueError (why??)
-return kernel_keyring.read_key(keyname)
-
 def delete_persistent_client_session_data(principal):
 '''
 Given a principal remove the session data for that
@@ -138,13 +126,11 @@ def delete_persistent_client_session_data(principal):
 '''
 
 try:
-keyname = client_session_keyring_keyname(principal)
+s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME)
+s.remove_data(principal)
 except Exception as e:
 raise ValueError(str(e))
 
-# kernel_keyring only raises ValueError (why??)
-kernel_keyring.del_key(keyname)
-
 def xml_wrap(value, version):
 """
 Wrap all ``str`` in ``xmlrpc.client.Binary``.
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
new file mode 100644
index 000..10359e1
--- /dev/null
+++ b/ipapython/session_storage.py
@@ -0,0 +1,186 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+import ctypes
+
+
+class KRB5Error(Exception):
+pass
+
+
+try:
+LIBKRB5 = ctypes.CDLL('libkrb5.so.3')
+except OSError as e:  # pragma: no cover
+raise ImportError(str(e))
+
+class _krb5_context(ctypes.Structure):  # noqa
+"""krb5/krb5.h struct _krb5_context"""
+_fields_ = []
+
+class _krb5_ccache(ctypes.Structure):  # noqa
+"""krb5/krb5.h struct _krb5_ccache"""
+_fields_ = []
+
+class _krb5_data(ctypes.Structure):  # noqa
+"""krb5/krb5.h struct _krb5_data"""
+_fields_ = [
+("magic", ctypes.c_int32),
+("length", ctypes.c_uint),
+("data", ctypes.c_char_p),
+]
+
+class krb5_principal_data(ctypes.Structure):  # noqa
+"""krb5/krb5.h struct krb5_principal_data"""
+_fields_ = []
+
+def krb5_errcheck(result, func, arguments):
+"""Error checker for krb5_error return value"""
+if result != 0:
+raise KRB5Error(result, func.__name__, arguments)
+
+krb5_principal = ctypes.POINTER(krb5_principal_data)
+krb5_context = ctypes.POINTER(_krb5_context)
+krb5_ccache = ctypes.POINTER(_krb5_ccache)
+krb5_data_p = ctypes.POINTER(_krb5_data)
+krb5_error = ctypes.c_int32
+

[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card

2017-03-07 Thread flo-renaud

  URL: https://github.com/freeipa/freeipa/pull/516
Title: #516: IdM Server: list all Employees with matching Smart Card

flo-renaud commented:
"""
Hi @dkupka 
As the goal of this command is to return exactly the same list of users as SSSD 
would consider for authentication, IMHO it is expected that we may have a 
cached list instead of an up-to-date list of results, because sssd 
authentication would have the same result.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/516#issuecomment-284775400
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card

2017-03-07 Thread dkupka

  URL: https://github.com/freeipa/freeipa/pull/516
Title: #516: IdM Server: list all Employees with matching Smart Card

dkupka commented:
"""
@flo-renaud While playing with this command I've noticed one disturbing fact. 
Because we rely on SSSD and SSSD rely its cache we will likely return 
inaccurate result.
I'm thinking about use-case when admin calls certmap-match to list current 
users mapped to the certificate. Then he performs some changes and  calls 
certmap-match again to verify his changes. At that point SSSD may use cache and 
return obsolete result.
One possible solution would be expiring the cache on every certmap-match call 
but that can easily have serious performance impact.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/516#issuecomment-284774035
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#529][comment] installer: update time estimates

2017-03-07 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/529
Title: #529: installer: update time estimates

stlaz commented:
"""
This will say:
```
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/2]: configure certmonger for renewals
  [2/2]: Importing RA key
```
but the operation lasts ~5 seconds at most.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/529#issuecomment-284770027
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#529][comment] installer: update time estimates

2017-03-07 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/529
Title: #529: installer: update time estimates

stlaz commented:
"""
This will say:
```
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/2]: configure certmonger for renewals
  [2/2]: Importing RA key
```
but the operation lasts ~5 seconds at most.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/529#issuecomment-284770027
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option

2017-03-07 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/546
Title: #546: Store session cookie in a ccache option

simo5 commented:
"""
@rcritten the keyring stuff is still used for detection of keyring in other 
places, so I did not touch it as those uses are still vaild

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/546#issuecomment-284767193
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#538][comment] Run test_ipaclient test suite

2017-03-07 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/538
Title: #538: Run test_ipaclient test suite

tomaskrizek commented:
"""
Please rebase and remove 5dfb17168972e480c1880e688a60fd2eb7de1dfe.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/538#issuecomment-284755651
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option

2017-03-07 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/546
Title: #546: Store session cookie in a ccache option

MartinBasti commented:
"""
Pylint failed and I have a few inline comments
```
* Module ipapython.ccache_storage
ipapython/ccache_storage.py:234: [C0305(trailing-newlines), ] Trailing newlines)
ipapython/ccache_storage.py:32: [W1612(unicode-builtin), c_text_p.from_param] 
unicode built-in referenced)
ipapython/ccache_storage.py:45: [E1101(no-member), c_text_p.text] Class 'value' 
has no 'decode' member)
ipapython/ccache_storage.py:128: [C1001(old-style-class), session_store] 
Old-style class defined.)
ipapython/ccache_storage.py:132: [E0710(raising-non-exception), 
session_store.__init__] Raising a new style class which doesn't inherit from 
BaseException)
ipapython/ccache_storage.py:6: [W0611(unused-import), ] Unused import os)
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/546#issuecomment-284755511
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#545][comment] install_check: require IPv6 stack to be enabled

2017-03-07 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/545
Title: #545: install_check: require IPv6 stack to be enabled

tomaskrizek commented:
"""
We tested it with @MartinBasti and `/proc` is mounted in container.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/545#issuecomment-284751484
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching

2017-03-07 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/543
Title: #543: Add options to allow ticket caching

simo5 commented:
"""
Yes, I think we should add a new PR later once we release gssproxy 0.7
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/543#issuecomment-284743273
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#547][comment] Use GSS-SPNEGO if connecting locally

2017-03-07 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/547
Title: #547: Use GSS-SPNEGO if connecting locally

simo5 commented:
"""
We actually do not need to put a strong require, this patch will work 
regardless, but won't provide any performance advantage on older versions.

You will add a stronger require when the GC work is done, so we can defer to 
that point to add it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/547#issuecomment-284743086
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-07 Thread Martin Babinsky

On Tue, Mar 07, 2017 at 04:34:42PM +0200, Alexander Bokovoy wrote:
>On ti, 07 maalis 2017, Simo Sorce wrote:
>> On Tue, 2017-03-07 at 09:38 +0100, Martin Babinsky wrote:
>> > On 03/06/2017 01:48 PM, Simo Sorce wrote:
>> > > On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote:
>> > >> On 03/02/2017 02:54 PM, Simo Sorce wrote:
>> > >>> On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote:
>> >  In this case it would probably be a good idea to think about "forward
>> >  compatibility" and define a new AUX objectclass bringing in
>> >  'ipaDomainResolutionOrder' instead of extending two separate
>> >  objectclasses. In this way we may the just extend whathever object we
>> >  desire to carry the override in an easy and clean way.
>> > >>>
>> > >>> I agree.
>> > >>> Simo.
>> > >>>
>> > >>
>> > >> Now the most difficult question remains... How to name this objectclass.
>> > >> I personally am out of ideas but will try my best to come up with
>> > >> something meaningful.
>> > >
>> > > Try to describe what the option ultimately does with as few words as
>> > > possible.
>> > >
>> > > Simo.
>> > >
>> > >
>> > 
>> > I was thinking about this and since we are performing name qualification
>> > (short-name -> fully-qualified name incl. domain/realm part), I would
>> > like to propose the following naming schema:
>> > 
>> > objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used
>> > for short name qualification data' SUP top AUXILIARY MAY
>> > (ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' )
>> > 
>> > attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC
>> > 'List of domains used to qualify user short name' EQUALITY
>> > caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
>> > X-ORIGIN 'IPA v4.5' )
>> > 
>> > Let me know if you are ok with this or am I overengineering the names?
>> > 
>> > I would like to solve this quickly so that I can finish the design and
>> > start implementation.
>> 
>> I was thinking that we can use acronyms here to make it less of a
>> mouthful and also more easily recognizable:
>> My idea is:
>> - ipaNameQualificationData -> ipaFQDNPolicies
>> - ipaNameQualificationDomainList -> ipaFQDNCheckOrder
>Sounds good to me.
>-- 
>/ Alexander Bokovoy

I am not sure about the relation of this to any policy, but I guess that is
just nitpicking.

I will wait awhile for others to object and then update design.

-- 
Martin Babinsky

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#533][comment] WebUI: Change structure of Identity submenu

2017-03-07 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/533
Title: #533: WebUI: Change structure of Identity submenu

simo5 commented:
"""
I do not have enough insights on the .js side to say this is all correct, but 
having seen the mockups I want to give an ack from my side here.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/533#issuecomment-284739181
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2

2017-03-07 Thread dkupka

  URL: https://github.com/freeipa/freeipa/pull/511
Title: #511: Bump required version of gssproxy to 0.6.2

dkupka commented:
"""
Ok, please comment here once 0.7 is out and I will update the commit.

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/511#issuecomment-284738537
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#547][comment] Use GSS-SPNEGO if connecting locally

2017-03-07 Thread abbra

  URL: https://github.com/freeipa/freeipa/pull/547
Title: #547: Use GSS-SPNEGO if connecting locally

abbra commented:
"""
LGTM but I think we should also update Requires: in the spec file to use 
cyrus-sasl-2.1.26-29.fc26 or later.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/547#issuecomment-284736912
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#545][comment] install_check: require IPv6 stack to be enabled

2017-03-07 Thread abbra

  URL: https://github.com/freeipa/freeipa/pull/545
Title: #545: install_check: require IPv6 stack to be enabled

abbra commented:
"""
how the /proc check going to play with containers?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/545#issuecomment-284738343
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-07 Thread Alexander Bokovoy


On ti, 07 maalis 2017, Simo Sorce wrote:

On Tue, 2017-03-07 at 09:38 +0100, Martin Babinsky wrote:

On 03/06/2017 01:48 PM, Simo Sorce wrote:
> On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote:
>> On 03/02/2017 02:54 PM, Simo Sorce wrote:
>>> On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote:
 In this case it would probably be a good idea to think about "forward
 compatibility" and define a new AUX objectclass bringing in
 'ipaDomainResolutionOrder' instead of extending two separate
 objectclasses. In this way we may the just extend whathever object we
 desire to carry the override in an easy and clean way.
>>>
>>> I agree.
>>> Simo.
>>>
>>
>> Now the most difficult question remains... How to name this objectclass.
>> I personally am out of ideas but will try my best to come up with
>> something meaningful.
>
> Try to describe what the option ultimately does with as few words as
> possible.
>
> Simo.
>
>

I was thinking about this and since we are performing name qualification
(short-name -> fully-qualified name incl. domain/realm part), I would
like to propose the following naming schema:

objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used
for short name qualification data' SUP top AUXILIARY MAY
(ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' )

attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC
'List of domains used to qualify user short name' EQUALITY
caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'IPA v4.5' )

Let me know if you are ok with this or am I overengineering the names?

I would like to solve this quickly so that I can finish the design and
start implementation.


I was thinking that we can use acronyms here to make it less of a
mouthful and also more easily recognizable:
My idea is:
- ipaNameQualificationData -> ipaFQDNPolicies
- ipaNameQualificationDomainList -> ipaFQDNCheckOrder

Sounds good to me.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-07 Thread Simo Sorce

On Tue, 2017-03-07 at 09:38 +0100, Martin Babinsky wrote:
> On 03/06/2017 01:48 PM, Simo Sorce wrote:
> > On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote:
> >> On 03/02/2017 02:54 PM, Simo Sorce wrote:
> >>> On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote:
>  In this case it would probably be a good idea to think about "forward
>  compatibility" and define a new AUX objectclass bringing in
>  'ipaDomainResolutionOrder' instead of extending two separate
>  objectclasses. In this way we may the just extend whathever object we
>  desire to carry the override in an easy and clean way.
> >>>
> >>> I agree.
> >>> Simo.
> >>>
> >>
> >> Now the most difficult question remains... How to name this objectclass.
> >> I personally am out of ideas but will try my best to come up with
> >> something meaningful.
> >
> > Try to describe what the option ultimately does with as few words as
> > possible.
> >
> > Simo.
> >
> >
> 
> I was thinking about this and since we are performing name qualification 
> (short-name -> fully-qualified name incl. domain/realm part), I would 
> like to propose the following naming schema:
> 
> objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used 
> for short name qualification data' SUP top AUXILIARY MAY 
> (ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' )
> 
> attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC 
> 'List of domains used to qualify user short name' EQUALITY 
> caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 
> X-ORIGIN 'IPA v4.5' )
> 
> Let me know if you are ok with this or am I overengineering the names?
> 
> I would like to solve this quickly so that I can finish the design and 
> start implementation.

I was thinking that we can use acronyms here to make it less of a
mouthful and also more easily recognizable:
My idea is:
- ipaNameQualificationData -> ipaFQDNPolicies
- ipaNameQualificationDomainList -> ipaFQDNCheckOrder

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation

2017-03-07 Thread LiptonB

  URL: https://github.com/freeipa/freeipa/pull/542
Title: #542: Implementation independent interface for CSR generation

LiptonB commented:
"""
Thanks for the feedback. I will put together a new version using CFFI and the 
`openssl req` format for subject names.

Regarding helpers, this code has all CSR generation go through the 
`CertificationRequestInfo`-based flow, so the other helpers can't actually be 
accessed. Maybe we should remove the helper/formatter abstraction entirely, and 
have the new format (raw openssl config) be the only jinja template available. 
This makes things simpler but will remove all support for NSS databases until 
we add it to the new flow. What do you think? (An alternative would be to 
remove only the `openssl` helper, and add a `CertificationRequestInfoFormatter` 
in its place).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/542#issuecomment-284727415
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#547][synchronized] Use GSS-SPNEGO if connecting locally

2017-03-07 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/547
Author: simo5
 Title: #547: Use GSS-SPNEGO if connecting locally
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/547/head:pr547
git checkout pr547
From 431a21bace9d6e071c9f0bd7cfbc27d7748164bc Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 6 Mar 2017 14:19:30 -0500
Subject: [PATCH] Use GSS-SPNEGO if connecting locally

GSS-SPNEGO allows us to negotiate a SASL bind with less roundtrips
therefore use it when possible.

We only enable it for local connections for now because we only
recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This
change means a newer and an older version are not compatible.

Restricting ourselves to the local host prevents issues with
incompatible services, and it is ok for us as we are only really
looking for speedups for the local short-lived connections performed
by the framework. Most other clients have longer lived connections,
so peformance improvements there are not as important.

Ticket: https://pagure.io/freeipa/issue/6656

Signed-off-by: Simo Sorce 
---
 ipapython/ipaldap.py | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 82d45b9..b158598 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -52,6 +52,7 @@
 
 # Global variable to define SASL auth
 SASL_GSSAPI = ldap.sasl.sasl({}, 'GSSAPI')
+SASL_GSS_SPNEGO = ldap.sasl.sasl({}, 'GSS-SPNEGO')
 
 _debug_log_ldap = False
 
@@ -1112,7 +1113,10 @@ def gssapi_bind(self, server_controls=None, client_controls=None):
 Perform SASL bind operation using the SASL GSSAPI mechanism.
 """
 with self.error_handler():
-auth_tokens = ldap.sasl.sasl({}, 'GSSAPI')
+if self._protocol == 'ldapi':
+auth_tokens = SASL_GSS_SPNEGO
+else:
+auth_tokens = SASL_GSSAPI
 self._flush_schema()
 self.conn.sasl_interactive_bind_s(
 '', auth_tokens, server_controls, client_controls)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching

2017-03-07 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/543
Author: simo5
 Title: #543: Add options to allow ticket caching
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/543/head:pr543
git checkout pr543
From 4c13d3360b28da66cf1fe54e7fb1c022f24e4c2e Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 6 Mar 2017 13:46:44 -0500
Subject: [PATCH] Add options to allow ticket caching

This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).

Ticket: https://pagure.io/freeipa/issue/6656

Signed-off-by: Simo Sorce 
---
 install/share/gssproxy.conf.template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index fbb158a..9d11100 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -4,6 +4,7 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_protocol_transition = true
+  allow_client_ccache_sync = true
   cred_usage = both
   euid = $HTTPD_USER
 
@@ -12,5 +13,6 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_constrained_delegation = true
+  allow_client_ccache_sync = true
   cred_usage = initiate
   euid = $IPAAPI_USER
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#547][opened] Use GSS-SPNEGO if connecting locally

2017-03-07 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/547
Author: simo5
 Title: #547: Use GSS-SPNEGO if connecting locally
Action: opened

PR body:
"""
GSS-SPNEGO allows us to negotiate a SASL bind with less roundtrips
therefore use it when possible.

We only enable it for local connections for now because we only
recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This
change means a newer and an older version are not compatible.

Restricting ourselves to the local host prevents issues with
incompatible services, and it is ok for us as we are only really
looking for speedups for the local short-lived connections performed
by the framework. Most other clients have longer lived connections,
so peformance improvements there are not as important.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/547/head:pr547
git checkout pr547
From 990f35d49602866724849f900e69079c5df6f86b Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 6 Mar 2017 14:19:30 -0500
Subject: [PATCH] Use GSS-SPNEGO if connecting locally

GSS-SPNEGO allows us to negotiate a SASL bind with less roundtrips
therefore use it when possible.

We only enable it for local connections for now because we only
recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This
change means a newer and an older version are not compatible.

Restricting ourselves to the local host prevents issues with
incompatible services, and it is ok for us as we are only really
looking for speedups for the local short-lived connections performed
by the framework. Most other clients have longer lived connections,
so peformance improvements there are not as important.

Signed-off-by: Simo Sorce 
---
 ipapython/ipaldap.py | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 82d45b9..b158598 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -52,6 +52,7 @@
 
 # Global variable to define SASL auth
 SASL_GSSAPI = ldap.sasl.sasl({}, 'GSSAPI')
+SASL_GSS_SPNEGO = ldap.sasl.sasl({}, 'GSS-SPNEGO')
 
 _debug_log_ldap = False
 
@@ -1112,7 +1113,10 @@ def gssapi_bind(self, server_controls=None, client_controls=None):
 Perform SASL bind operation using the SASL GSSAPI mechanism.
 """
 with self.error_handler():
-auth_tokens = ldap.sasl.sasl({}, 'GSSAPI')
+if self._protocol == 'ldapi':
+auth_tokens = SASL_GSS_SPNEGO
+else:
+auth_tokens = SASL_GSSAPI
 self._flush_schema()
 self.conn.sasl_interactive_bind_s(
 '', auth_tokens, server_controls, client_controls)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#546][opened] Store session cookie in a ccache option

2017-03-07 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/546
Author: simo5
 Title: #546: Store session cookie in a ccache option
Action: opened

PR body:
"""
Instead of using the kernel keyring, store the session cookie within the
ccache. This way kdestroy will really wipe away all crededntials.

Ticket: https://pagure.io/freeipa/issue/6661
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/546/head:pr546
git checkout pr546
From 8aac1aee8c10810ef1e9590b23a982ed98585f09 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 6 Mar 2017 18:47:56 -0500
Subject: [PATCH] Store session cookie in a ccache option

Instead of using the kernel keyring, store the session cookie within the
ccache. This way kdestroy will really wipe away all credentials.

Ticket: https://pagure.io/freeipa/issue/6661

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py   |  30 ++
 ipapython/ccache_storage.py | 234 
 2 files changed, 242 insertions(+), 22 deletions(-)
 create mode 100644 ipapython/ccache_storage.py

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 8d1bba5..027a11f 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -56,7 +56,7 @@
 from ipalib.request import context, Connection
 from ipapython.ipa_log_manager import root_logger
 from ipapython import ipautil
-from ipapython import kernel_keyring
+from ipapython import ccache_storage
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
@@ -84,19 +84,11 @@
 unicode = str
 
 COOKIE_NAME = 'ipa_session'
-KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME
+CCACHE_COOKIE_KEY_NAME = 'X-IPA-Session-Cookie'
 
 errors_by_code = dict((e.errno, e) for e in public_errors)
 
 
-def client_session_keyring_keyname(principal):
-'''
-Return the key name used for storing the client session data for
-the given principal.
-'''
-
-return KEYRING_COOKIE_NAME % principal
-
 def update_persistent_client_session_data(principal, data):
 '''
 Given a principal create or update the session data for that
@@ -106,13 +98,11 @@ def update_persistent_client_session_data(principal, data):
 '''
 
 try:
-keyname = client_session_keyring_keyname(principal)
+s = ccache_storage.session_store(CCACHE_COOKIE_KEY_NAME)
+s.store_data(principal, data)
 except Exception as e:
 raise ValueError(str(e))
 
-# kernel_keyring only raises ValueError (why??)
-kernel_keyring.update_key(keyname, data)
-
 def read_persistent_client_session_data(principal):
 '''
 Given a principal return the stored session data for that
@@ -122,13 +112,11 @@ def read_persistent_client_session_data(principal):
 '''
 
 try:
-keyname = client_session_keyring_keyname(principal)
+s = ccache_storage.session_store(CCACHE_COOKIE_KEY_NAME)
+return s.get_data(principal)
 except Exception as e:
 raise ValueError(str(e))
 
-# kernel_keyring only raises ValueError (why??)
-return kernel_keyring.read_key(keyname)
-
 def delete_persistent_client_session_data(principal):
 '''
 Given a principal remove the session data for that
@@ -138,13 +126,11 @@ def delete_persistent_client_session_data(principal):
 '''
 
 try:
-keyname = client_session_keyring_keyname(principal)
+s = ccache_storage.session_store(CCACHE_COOKIE_KEY_NAME)
+s.remove_data(principal)
 except Exception as e:
 raise ValueError(str(e))
 
-# kernel_keyring only raises ValueError (why??)
-kernel_keyring.del_key(keyname)
-
 def xml_wrap(value, version):
 """
 Wrap all ``str`` in ``xmlrpc.client.Binary``.
diff --git a/ipapython/ccache_storage.py b/ipapython/ccache_storage.py
new file mode 100644
index 000..2944b33
--- /dev/null
+++ b/ipapython/ccache_storage.py
@@ -0,0 +1,234 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+import ctypes
+import os
+import sys
+
+import six
+
+
+class KRB5Error(Exception):
+pass
+
+
+PY3 = sys.version_info[0] == 3
+
+
+try:
+LIBKRB5 = ctypes.CDLL('libkrb5.so.3')
+except OSError as e:  # pragma: no cover
+LIBKRB5 = e
+else:
+class c_text_p(ctypes.c_char_p):  # noqa
+"""A c_char_p variant that can handle UTF-8 text"""
+@classmethod
+def from_param(cls, value):
+if value is None:
+return None
+if PY3 and isinstance(value, str):
+return value.encode('utf-8')
+elif not PY3 and isinstance(value, unicode):  # noqa
+return value.encode('utf-8')
+elif not isinstance(value, bytes):
+raise TypeError(value)
+else:
+return value
+
+@property
+def text(self):
+value = self.value
+if value is None:
+return None
+

[Freeipa-devel] [freeipa PR#420][comment] Allow login to WebUI using Kerberos aliases/enterprise principals

2017-03-07 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/420
Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals

martbab commented:
"""
@abbra I have a question regarding one of your comments, please review.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/420#issuecomment-284724932
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#545][edited] install_check: require IPv6 stack to be enabled

2017-03-07 Thread tomaskrizek

   URL: https://github.com/freeipa/freeipa/pull/545
Author: tomaskrizek
 Title: #545: install_check: require IPv6 stack to be enabled
Action: edited

 Changed field: body
Original value:
"""
Add checks to install and replica install to verify IPv6 stack
is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...).

https://pagure.io/freeipa/issue/6608
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#545][opened] install_check: require IPv6 stack to be enabled

2017-03-07 Thread tomaskrizek

   URL: https://github.com/freeipa/freeipa/pull/545
Author: tomaskrizek
 Title: #545: install_check: require IPv6 stack to be enabled
Action: opened

PR body:
"""
Add checks to install and replica install to verify IPv6 stack
is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...).

https://pagure.io/freeipa/issue/6608
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/545/head:pr545
git checkout pr545
From 5851ab9187ef9eb78c2a41b9aac10bf3090bb870 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 7 Mar 2017 13:54:41 +0100
Subject: [PATCH] install_check: require IPv6 stack to be enabled

Add checks to install and replica install to verify IPv6 stack
is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...).

https://pagure.io/freeipa/issue/6608
---
 ipaplatform/base/paths.py  |  1 +
 ipaplatform/base/tasks.py  |  5 +
 ipaplatform/redhat/tasks.py| 14 ++
 ipaserver/install/server/install.py|  1 +
 ipaserver/install/server/replicainstall.py |  1 +
 5 files changed, 22 insertions(+)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index e4d4f2e..7f737d4 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -354,5 +354,6 @@ class BasePathNamespace(object):
 EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d'
 GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf'
 KRB5CC_HTTPD = '/tmp/krb5cc-httpd'
+IF_INET6 = '/proc/net/if_inet6'
 
 path_namespace = BasePathNamespace
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 5806e75..9f91fef 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -103,6 +103,11 @@ def check_selinux_status(self):
 
 raise NotImplementedError()
 
+def check_ipv6_stack_enabled(self):
+"""Check whether IPv6 kernel module is loaded"""
+
+raise NotImplementedError()
+
 def restore_hostname(self, fstore, statestore):
 """
 Restores the original hostname as backed up in the
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 8f9b39b..a70d359 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -141,6 +141,20 @@ def check_selinux_status(self, restorecon=paths.RESTORECON):
'Install the policycoreutils package and start '
'the installation again.' % restorecon)
 
+def check_ipv6_stack_enabled(self):
+"""Checks whether IPv6 kernel module is loaded.
+
+Function checks if /proc/net/if_inet6 is present. If IPv6 stack is 
+enabled, it exists and contains the interfaces configuration.
+
+:raises: RuntimeError when IPv6 stack is disabled
+"""
+if not os.path.exists(paths.IF_INET6):
+raise RuntimeError(
+"IPv6 kernel module has to be enabled. If you do not wish to "
+"use IPv6, please disable it on the interfaces in "
+"sysctl.conf and enable the IPv6 kernel module.")
+
 def restore_pre_ipa_client_configuration(self, fstore, statestore,
  was_sssd_installed,
  was_sssd_configured):
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 1e6aad9..f17461b 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -305,6 +305,7 @@ def install_check(installer):
 external_ca_file = installer._external_ca_file
 http_ca_cert = installer._ca_cert
 
+tasks.check_ipv6_stack_enabled()
 tasks.check_selinux_status()
 
 if options.master_password:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 3757700..d7f0307 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -567,6 +567,7 @@ def check_remote_version(client, local_version):
 
 
 def common_check(no_ntp):
+tasks.check_ipv6_stack_enabled()
 tasks.check_selinux_status()
 
 if is_ipa_configured():
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#540][closed] rabase.get_certificate: make serial number arg mandatory

2017-03-07 Thread tomaskrizek

   URL: https://github.com/freeipa/freeipa/pull/540
Author: frasertweedale
 Title: #540: rabase.get_certificate: make serial number arg mandatory
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/540/head:pr540
git checkout pr540
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#540][comment] rabase.get_certificate: make serial number arg mandatory

2017-03-07 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/540
Title: #540: rabase.get_certificate: make serial number arg mandatory

tomaskrizek commented:
"""
master:

* 3ba0375c831eca673c2df146b565a32dbc03fdb3 rabase.get_certificate: make serial 
number arg mandatory
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/540#issuecomment-284707795
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#540][+pushed] rabase.get_certificate: make serial number arg mandatory

2017-03-07 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/540
Title: #540: rabase.get_certificate: make serial number arg mandatory

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#540][+ack] rabase.get_certificate: make serial number arg mandatory

2017-03-07 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/540
Title: #540: rabase.get_certificate: make serial number arg mandatory

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#537][closed] test_csrgen: adjusted comparison test scripts for CSRGenerator

2017-03-07 Thread martbab

   URL: https://github.com/freeipa/freeipa/pull/537
Author: Rezney
 Title: #537: test_csrgen: adjusted comparison test scripts for CSRGenerator
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/537/head:pr537
git checkout pr537
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#537][+pushed] test_csrgen: adjusted comparison test scripts for CSRGenerator

2017-03-07 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/537
Title: #537: test_csrgen: adjusted comparison test scripts for CSRGenerator

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#537][comment] test_csrgen: adjusted comparison test scripts for CSRGenerator

2017-03-07 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/537
Title: #537: test_csrgen: adjusted comparison test scripts for CSRGenerator

martbab commented:
"""
master:

* 83e2c2b65eeb5a3aa4a59c0535e9177aac5e4637 test_csrgen: adjusted comparison 
test scripts for CSRGenerator
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/537#issuecomment-284706378
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#544][opened] Don't use weak ciphers for client HTTPS connections

2017-03-07 Thread stlaz

   URL: https://github.com/freeipa/freeipa/pull/544
Author: stlaz
 Title: #544: Don't use weak ciphers for client HTTPS connections
Action: opened

PR body:
"""
https://pagure.io/freeipa/issue/6730
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/544/head:pr544
git checkout pr544
From 6aac15ae557d6c2c1c11660334e72192530ca225 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 23 Feb 2017 14:31:50 +0100
Subject: [PATCH] Don't use weak ciphers for client HTTPS connections

https://pagure.io/freeipa/issue/6730
---
 ipalib/util.py | 4 
 1 file changed, 4 insertions(+)

diff --git a/ipalib/util.py b/ipalib/util.py
index 2beabf1..cbfbc5d 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -303,6 +303,10 @@ def create_https_connection(
 ssl.OP_SINGLE_ECDH_USE
 )
 
+# high ciphers without RC4, MD5, TripleDES, pre-shared key
+# and secure remote password
+ctx.set_ciphers("HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP")
+
 # pylint: enable=no-member
 # set up the correct TLS version flags for the SSL context
 for version in TLS_VERSIONS:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card

2017-03-07 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/516
Title: #516: IdM Server: list all Employees with matching Smart Card

HonzaCholasta commented:
"""
@flo-renaud, thanks, LGTM.

BTW Travis fails because there is no `sssd-dbus >= 1.15.1` - submitting a build 
to freeipa-master now.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/516#issuecomment-284661291
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-07 Thread Martin Babinsky


On 03/06/2017 01:48 PM, Simo Sorce wrote:

On Mon, 2017-03-06 at 07:47 +0100, Martin Babinsky wrote:

On 03/02/2017 02:54 PM, Simo Sorce wrote:

On Thu, 2017-03-02 at 08:10 +0100, Martin Babinsky wrote:

In this case it would probably be a good idea to think about "forward
compatibility" and define a new AUX objectclass bringing in
'ipaDomainResolutionOrder' instead of extending two separate
objectclasses. In this way we may the just extend whathever object we
desire to carry the override in an easy and clean way.


I agree.
Simo.



Now the most difficult question remains... How to name this objectclass.
I personally am out of ideas but will try my best to come up with
something meaningful.


Try to describe what the option ultimately does with as few words as
possible.

Simo.




I was thinking about this and since we are performing name qualification 
(short-name -> fully-qualified name incl. domain/realm part), I would 
like to propose the following naming schema:


objectlasses: ( OID_TBD NAME ipaNameQualificationData Desc 'data used 
for short name qualification data' SUP top AUXILIARY MAY 
(ipaNameQualificationDomainList) X-ORIGIN 'IPA 4.5' )


attributeTypes: ( OID_TBD NAME 'ipaNameQualificationDomainList' DESC 
'List of domains used to qualify user short name' EQUALITY 
caseIgnoreIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 
X-ORIGIN 'IPA v4.5' )


Let me know if you are ok with this or am I overengineering the names?

I would like to solve this quickly so that I can finish the design and 
start implementation.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#504][comment] Add SHA256 fingerprints

2017-03-07 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/504
Title: #504: Add SHA256 fingerprints

stlaz commented:
"""
Hm, apparently I had old `po/`, never mind, then.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/504#issuecomment-284656476
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#504][+ack] Add SHA256 fingerprints

2017-03-07 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/504
Title: #504: Add SHA256 fingerprints

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card

2017-03-07 Thread flo-renaud

  URL: https://github.com/freeipa/freeipa/pull/516
Title: #516: IdM Server: list all Employees with matching Smart Card

flo-renaud commented:
"""
Hi @HonzaCholasta 
sorry I overlooked the change for count. It's updated now, thank you for the 
review.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/516#issuecomment-284655430
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#516][synchronized] IdM Server: list all Employees with matching Smart Card

2017-03-07 Thread flo-renaud

   URL: https://github.com/freeipa/freeipa/pull/516
Author: flo-renaud
 Title: #516: IdM Server: list all Employees with matching Smart Card
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/516/head:pr516
git checkout pr516
From 409dbe59d7b47806677db679eeb337186aeaa47c Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Thu, 23 Feb 2017 18:04:47 +0100
Subject: [PATCH] IdM Server: list all Employees with matching Smart Card

Implement a new IPA command allowing to retrieve the list of users matching
the provided certificate.
The command is using SSSD Dbus interface, thus including users from IPA
domain and from trusted domains. This requires sssd-dbus package to be
installed on IPA server.

https://fedorahosted.org/freeipa/ticket/6646
---
 API.txt  |  12 
 freeipa.spec.in  |   2 +
 ipaserver/plugins/certmap.py | 160 ++-
 3 files changed, 173 insertions(+), 1 deletion(-)

diff --git a/API.txt b/API.txt
index a8f8ff1..ace3101 100644
--- a/API.txt
+++ b/API.txt
@@ -824,6 +824,16 @@ option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[, ])
 output: PrimaryKey('value')
+command: certmap_match/1
+args: 1,3,4
+arg: Bytes('certificate', cli_name='certificate')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Str('version?')
+output: Output('count', type=[])
+output: ListOfEntries('result')
+output: Output('summary', type=[, ])
+output: Output('truncated', type=[])
 command: certmapconfig_mod/1
 args: 0,8,3
 option: Str('addattr*', cli_name='addattr')
@@ -6517,6 +6527,8 @@ default: cert_request/1
 default: cert_revoke/1
 default: cert_show/1
 default: cert_status/1
+default: certmap/1
+default: certmap_match/1
 default: certmapconfig/1
 default: certmapconfig_mod/1
 default: certmapconfig_show/1
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5b736b6..cc7422a 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -284,6 +284,8 @@ Requires: gzip
 Requires: oddjob
 # Require 0.6.0 for the new delegation access control features
 Requires: gssproxy >= 0.6.0
+# Require 1.15.1 for the certificate identity mapping feature
+Requires: sssd-dbus >= 1.15.1
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
diff --git a/ipaserver/plugins/certmap.py b/ipaserver/plugins/certmap.py
index c37eae3..fc26586 100644
--- a/ipaserver/plugins/certmap.py
+++ b/ipaserver/plugins/certmap.py
@@ -17,9 +17,14 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
 
+import base64
+import dbus
 import six
 
-from ipalib import api, errors
+from ipalib import api, errors, x509
+from ipalib import Bytes
+from ipalib.crud import Search
+from ipalib.frontend import Object
 from ipalib.parameters import Bool, DNSNameParam, Flag, Int, Str
 from ipalib.plugable import Registry
 from .baseldap import (
@@ -33,6 +38,7 @@
 pkey_to_value)
 from ipalib import _, ngettext
 from ipalib import output
+from ipaserver.plugins.service import validate_certificate
 
 
 if six.PY3:
@@ -389,3 +395,155 @@ def execute(self, cn, **options):
 result=True,
 value=pkey_to_value(cn, options),
 )
+
+
+DBUS_SSSD_NAME = 'org.freedesktop.sssd.infopipe'
+DBUS_PROPERTY_IF = 'org.freedesktop.DBus.Properties'
+DBUS_SSSD_USERS_PATH = '/org/freedesktop/sssd/infopipe/Users'
+DBUS_SSSD_USERS_IF = 'org.freedesktop.sssd.infopipe.Users'
+DBUS_SSSD_USER_IF = 'org.freedesktop.sssd.infopipe.Users.User'
+
+
+class _sssd(object):
+"""
+Auxiliary class for SSSD infopipe DBus.
+"""
+def __init__(self, log):
+"""
+Initialize the Users object and interface.
+
+   :raise RemoteRetrieveError: if DBus error occurs
+"""
+try:
+self.log = log
+self._bus = dbus.SystemBus()
+self._users_obj = self._bus.get_object(
+DBUS_SSSD_NAME, DBUS_SSSD_USERS_PATH)
+self._users_iface = dbus.Interface(
+self._users_obj, DBUS_SSSD_USERS_IF)
+except dbus.DBusException as e:
+self.log.error(
+'Failed to initialize DBus interface {iface}. DBus '
+'exception is {exc}.'.format(iface=DBUS_SSSD_USERS_IF, exc=e)
+)
+raise errors.RemoteRetrieveError(
+reason=_('Failed to connect to sssd over SystemBus. '
+ 'See details in the error_log'))
+
+def list_users_by_cert(self, cert):
+"""
+Look for users matching the cert.
+
+Call Users.ListByCertificate interface and return a dict
+with key = domain, value = list of uids
+corresponding to the users matching the provided cert
+

69 matches

Mail list logo