[Freeipa-devel] Karma Requests for ldapjdk-4.19-1 and tomcatjss-7.2.0-1

[Matthew Harmsen]

*The following updated candidate builds of ldapjdk 4.19 and tomcatjss 
7.2.0 were generated:*


 * *Fedora 25:*
 o *ldapjdk-4.19-1.fc25
   *
 o *tomcatjss-7.2.0-1.fc25
   
   *
 * *Fedora 26:*
 o *ldapjdk-4.19-1.fc26
   *
 o *tomcatjss-7.2.0-1.fc26
   
   *
 * *Fedora 27:*
 o *ldapjdk-4.19-1.fc27
   *
 o *tomcatjss-7.2.0-1.fc27
   
   *

*These builds address the following Bugs and Pagure Issues:*

 * *Bugzilla Bug #1382856 - ldapjdk fails to parse ldap url with no
   host:port *
 * *Bugzilla Bug #1394372 - Rebase ldapjdk to 4.19
   *
 * *tomcatjss Pagure Issue #6 - Rebase tomcatjss to 7.2.0 in Fedora 25+
   *

*Please provide Karma for the following builds:*

 * *Fedora 25:*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-6559356a15
 ldapjdk-4.19-1.fc25*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-39eb143dc7
   tomcatjss-7.2.0-1.fc25
   
   *
 * *Fedora 26:*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-d10f519981
   ldapjdk-4.19-1.fc26
   *
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-a6d36fe632
   tomcatjss-7.2.0-1.fc26
   
   *

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#139][synchronized] WebUI: Vault Management

[pvomacka]

   URL: https://github.com/freeipa/freeipa/pull/139
Author: pvomacka
 Title: #139: WebUI: Vault Management
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/139/head:pr139
git checkout pr139
From fa1ff996452da2ec6dc114a62a0c69dc0218474d Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 5 Oct 2016 09:54:24 +0200
Subject: [PATCH 01/15] Additional option to add and del operations can be set

By setting the property 'additional_add_del_field' to the name of one of
the fields which are on current details page, we choose field which value
will be added to  *_add_* and *_del_* commands in this format:

{field_name: field_value}
--field_name: field_value

Part of: https://fedorahosted.org/freeipa/ticket/5426
---
 install/ui/src/freeipa/association.js | 22 ++
 1 file changed, 22 insertions(+)

diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
index 7579bb0..d44f8c8 100644
--- a/install/ui/src/freeipa/association.js
+++ b/install/ui/src/freeipa/association.js
@@ -421,6 +421,14 @@ IPA.association_table_widget = function (spec) {
 
 var that = IPA.table_widget(spec);
 
+/**
+ * The value should be name of the field, which will be added to *_add_*,
+ * *_del_* commands as option: {fieldname: fieldvalue}.
+ *
+ * @property {String} fieldname
+ */
+that.additional_add_del_field = spec.additional_add_del_field;
+
 that.other_entity = IPA.get_entity(spec.other_entity);
 that.attribute_member = spec.attribute_member;
 
@@ -677,9 +685,22 @@ IPA.association_table_widget = function (spec) {
 });
 command.set_option(that.other_entity.name, values);
 
+that.join_additional_option(command);
+
 command.execute();
 };
 
+that.join_additional_option = function(command) {
+var add_opt = that.additional_add_del_field;
+if (add_opt && typeof add_opt === 'string') {
+var opt_field = that.entity.facet.get_field(add_opt);
+var value;
+if (opt_field) value = opt_field.get_value()[0];
+
+command.set_option(add_opt, value);
+}
+};
+
 that.show_remove_dialog = function() {
 
 var selected_values = that.get_selected_values();
@@ -741,6 +762,7 @@ IPA.association_table_widget = function (spec) {
 });
 
 command.set_option(that.other_entity.name, values);
+that.join_additional_option(command);
 
 command.execute();
 };

From f0fdd68f7f1cfdfba0660d0e99e0ac3b999d88ee Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 5 Oct 2016 10:09:20 +0200
Subject: [PATCH 02/15] Allow to set another other_entity name

Association table's add, del commands needs as option list of cn of
other_entity, which is added or deleted. There is a case (currently in vaults)
that the name of option is different than the name of other_entity.
In this situation we can set 'other_option_name' and put there the option name.
This option name will be used instead of 'other_entity' name.

Part of: https://fedorahosted.org/freeipa/ticket/5426
---
 install/ui/src/freeipa/association.js | 29 ++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
index d44f8c8..02f990a 100644
--- a/install/ui/src/freeipa/association.js
+++ b/install/ui/src/freeipa/association.js
@@ -429,6 +429,22 @@ IPA.association_table_widget = function (spec) {
  */
 that.additional_add_del_field = spec.additional_add_del_field;
 
+/**
+ * Can be used in situations when the *_add_member command needs entity
+ * as a parameter, but parameter has different name than entity.
+ * i.e. vault_add_member --services=[values] ... this needs values from service
+ * entity, but option is called services, that we can set by setting
+ * this option in spec to other_option_name: 'services'
+ *
+ * @property {String} other_option_name
+ */
+that.other_option_name = spec.other_option_name;
+
+/**
+ * Entity which is added into member table.
+ *
+ * @property {String} other_entity
+ */
 that.other_entity = IPA.get_entity(spec.other_entity);
 that.attribute_member = spec.attribute_member;
 
@@ -683,9 +699,9 @@ IPA.association_table_widget = function (spec) {
 on_success: on_success,
 on_error: on_error
 });
-command.set_option(that.other_entity.name, values);
 
 that.join_additional_option(command);
+that.handle_entity_option(command, values);
 
 command.execute();
 };
@@ -701,6 +717,14 @@ IPA.association_table_widget = function (spec) {
 }
 };
 
+that.handle_entity_option = function(command, values) {
+var option_name = that.other_option_name;
+

[Freeipa-devel] [freeipa PR#559][synchronized] WebUI: Certificate login

[pvomacka]

   URL: https://github.com/freeipa/freeipa/pull/559
Author: pvomacka
 Title: #559: WebUI: Certificate login
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/559/head:pr559
git checkout pr559
From 52e58f561fa04e2139efea7b7f9215ab56f0da19 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 9 Mar 2017 12:14:21 +0100
Subject: [PATCH 1/2] Support certificate login after installation and upgrade

Add necessary steps which set SSSD and set SELinux boolean during
installation or upgrade. Also create new endpoint in apache for
login using certificates.

https://pagure.io/freeipa/issue/6225
---
 freeipa.spec.in |  1 +
 install/conf/ipa.conf   | 24 +++-
 ipaclient/install/client.py | 20 
 ipaserver/install/httpinstance.py   |  1 +
 ipaserver/install/server/upgrade.py |  5 +
 5 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6eb00ee..bc3f3fb 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -255,6 +255,7 @@ Requires: mod_wsgi
 Requires: mod_auth_gssapi >= 1.5.0
 Requires: mod_nss >= 1.0.8-26
 Requires: mod_session
+Requires: mod_lookup_identity
 Requires: python-ldap >= 2.4.15
 Requires: python-gssapi >= 1.2.0
 Requires: acl
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 419d4e3..71330e1 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -4,8 +4,13 @@
 # This file may be overwritten on upgrades.
 #
 
-ProxyRequests Off
+# Load lookup_identity module in case it has not been loaded yet
+# The module is used to search users according the certificate.
+
+LoadModule lookup_identity_module modules/mod_lookup_identity.so
+
 
+ProxyRequests Off
 
 #We use xhtml, a file format that the browser validates
 DirectoryIndex index.html
@@ -97,6 +102,23 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
   Allow from all
 
 
+# Login with user certificate/smartcard configuration
+# This configuration needs to be loaded after 
+
+  AuthType none
+  Require all granted
+  GssapiCredStore keytab:/var/lib/ipa/gssproxy/http.keytab
+  GssapiCredStore client_keytab:/var/lib/ipa/gssproxy/http.keytab
+  GssapiDelegCcacheDir /var/run/ipa/ccaches
+  GssapiDelegCcachePerms mode:0660 gid:ipaapi
+  GssapiImpersonate On
+  NSSVerifyClient require
+  NSSUserName SSL_CLIENT_CERT
+  LookupUserByCertificate On
+  WSGIProcessGroup ipa
+  WSGIApplicationGroup ipa
+
+
 
   Satisfy Any
   Order Deny,Allow
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 774eaaf..579d1aa 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -846,6 +846,9 @@ def configure_sssd_conf(
 sssdconfig.new_config()
 domain = sssdconfig.new_domain(cli_domain)
 
+if options.on_master:
+sssd_enable_service(sssdconfig, 'ifp')
+
 if (
 (options.conf_ssh and file_exists(paths.SSH_CONFIG)) or
 (options.conf_sshd and file_exists(paths.SSHD_CONFIG))
@@ -948,6 +951,23 @@ def configure_sssd_conf(
 return 0
 
 
+def sssd_enable_service(sssdconfig, service):
+try:
+sssdconfig.new_service(service)
+except SSSDConfig.ServiceAlreadyExists:
+pass
+except SSSDConfig.ServiceNotRecognizedError:
+root_logger.error(
+"Unable to activate the %s service in SSSD config.", service)
+root_logger.info(
+"Please make sure you have SSSD built with %s support "
+"installed.", service)
+root_logger.info(
+"Configure %s support manually in /etc/sssd/sssd.conf.", service)
+
+sssdconfig.activate_service(service)
+
+
 def change_ssh_config(filename, changes, sections):
 if not changes:
 return True
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 3e8fb0c..048f317 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -53,6 +53,7 @@
 httpd_can_network_connect='on',
 httpd_manage_ipa='on',
 httpd_run_ipa='on',
+httpd_dbus_sssd='on',
 )
 
 HTTPD_USER = constants.HTTPD_USER
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index b19c2f0..993835e 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -23,6 +23,7 @@
 import SSSDConfig
 import ipalib.util
 import ipalib.errors
+from ipaclient.install.client import sssd_enable_service
 from ipaplatform import services
 from ipaplatform.tasks import tasks
 from ipapython import ipautil, version, certdb
@@ -1771,6 +1772,10 @@ def upgrade_configuration():
 
 set_sssd_domain_option('ipa_server_mode', 'True')
 
+sssdconfig = SSSDConfig.SSSDConfig()
+sssdconfig.import_config()
+sssd_enable_service(sssdconfig, 'ifp')
+
 krb = krbinstance.KrbInstance(fstore)
 krb.fqdn = fqdn