[Freeipa-devel] [freeipa PR#610][comment] [4.3] Fix cookie with Max-Age processing
URL: https://github.com/freeipa/freeipa/pull/610 Title: #610: [4.3] Fix cookie with Max-Age processing MartinBasti commented: """ Please open a new ticket `Backport ...`. Ticket you used is closed in closed milestone """ See the full comment at https://github.com/freeipa/freeipa/pull/610#issuecomment-287195160 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#610][opened] [4.3] Fix cookie with Max-Age processing
URL: https://github.com/freeipa/freeipa/pull/610 Author: stlaz Title: #610: [4.3] Fix cookie with Max-Age processing Action: opened PR body: """ When cookie has Max-Age set it tries to get expiration by adding to a timestamp. Without this patch the timestamp would be set to None and thus the addition of timestamp + max_age fails https://pagure.io/freeipa/issue/6718 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/610/head:pr610 git checkout pr610 From 23eb7a27f00b418314beb1c69efeff5d45403607 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Thu, 2 Mar 2017 09:11:34 +0100 Subject: [PATCH] Fix cookie with Max-Age processing When cookie has Max-Age set it tries to get expiration by adding to a timestamp. Without this patch the timestamp would be set to None and thus the addition of timestamp + max_age fails https://pagure.io/freeipa/issue/6718 --- ipalib/rpc.py | 13 + ipapython/cookie.py | 5 - 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 207149e..ef3a2a7 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -693,8 +693,11 @@ def store_session_cookie(self, cookie_header): # Search for the session cookie try: -session_cookie = Cookie.get_named_cookie_from_string(cookie_header, - COOKIE_NAME, request_url) +session_cookie = ( +Cookie.get_named_cookie_from_string( +cookie_header, COOKIE_NAME, request_url, +timestamp=datetime.datetime.utcnow()) +) except Exception as e: root_logger.error("unable to parse cookie header '%s': %s", cookie_header, e) return @@ -788,8 +791,10 @@ def get_session_cookie_from_persistent_storage(self, principal): # Search for the session cookie within the cookie string try: -session_cookie = Cookie.get_named_cookie_from_string(cookie_string, COOKIE_NAME) -except Exception as e: +session_cookie = Cookie.get_named_cookie_from_string( +cookie_string, COOKIE_NAME, +timestamp=datetime.datetime.utcnow()) +except Exception: return None return session_cookie diff --git a/ipapython/cookie.py b/ipapython/cookie.py index d32640a..6f7bc6c 100644 --- a/ipapython/cookie.py +++ b/ipapython/cookie.py @@ -321,7 +321,8 @@ def parse(cls, cookie_string, request_url=None): return cookies @classmethod -def get_named_cookie_from_string(cls, cookie_string, cookie_name, request_url=None): +def get_named_cookie_from_string(cls, cookie_string, cookie_name, + request_url=None, timestamp=None): ''' A cookie string may contain multiple cookies, parse the cookie string and return the last cookie in the string matching the @@ -343,6 +344,8 @@ def get_named_cookie_from_string(cls, cookie_string, cookie_name, request_url=No if cookie.key == cookie_name: target_cookie = cookie +if timestamp is not None: +target_cookie.timestamp = timestamp if request_url is not None: target_cookie.normalize(request_url) return target_cookie -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#609][synchronized] [4.4] Fix cookie with Max-Age processing
URL: https://github.com/freeipa/freeipa/pull/609 Author: stlaz Title: #609: [4.4] Fix cookie with Max-Age processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/609/head:pr609 git checkout pr609 From 3fe71ab3e2febcf01a7187bcac2773e86b917844 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Thu, 2 Mar 2017 09:11:34 +0100 Subject: [PATCH] Fix cookie with Max-Age processing When cookie has Max-Age set it tries to get expiration by adding to a timestamp. Without this patch the timestamp would be set to None and thus the addition of timestamp + max_age fails https://pagure.io/freeipa/issue/6718 --- ipalib/rpc.py | 13 + ipapython/cookie.py | 5 - 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 1c00289..cd14d91 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -699,8 +699,11 @@ def store_session_cookie(self, cookie_header): # Search for the session cookie try: -session_cookie = Cookie.get_named_cookie_from_string(cookie_header, - COOKIE_NAME, request_url) +session_cookie = ( +Cookie.get_named_cookie_from_string( +cookie_header, COOKIE_NAME, request_url, +timestamp=datetime.datetime.utcnow()) +) except Exception as e: root_logger.error("unable to parse cookie header '%s': %s", cookie_header, e) return @@ -794,8 +797,10 @@ def get_session_cookie_from_persistent_storage(self, principal): # Search for the session cookie within the cookie string try: -session_cookie = Cookie.get_named_cookie_from_string(cookie_string, COOKIE_NAME) -except Exception as e: +session_cookie = Cookie.get_named_cookie_from_string( +cookie_string, COOKIE_NAME, +timestamp=datetime.datetime.utcnow()) +except Exception: return None return session_cookie diff --git a/ipapython/cookie.py b/ipapython/cookie.py index 89c3e3c..2831394 100644 --- a/ipapython/cookie.py +++ b/ipapython/cookie.py @@ -320,7 +320,8 @@ def parse(cls, cookie_string, request_url=None): return cookies @classmethod -def get_named_cookie_from_string(cls, cookie_string, cookie_name, request_url=None): +def get_named_cookie_from_string(cls, cookie_string, cookie_name, + request_url=None, timestamp=None): ''' A cookie string may contain multiple cookies, parse the cookie string and return the last cookie in the string matching the @@ -342,6 +343,8 @@ def get_named_cookie_from_string(cls, cookie_string, cookie_name, request_url=No if cookie.key == cookie_name: target_cookie = cookie +if timestamp is not None: +target_cookie.timestamp = timestamp if request_url is not None: target_cookie.normalize(request_url) return target_cookie -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#609][edited] [4.4] Fix cookie with Max-Age processing
URL: https://github.com/freeipa/freeipa/pull/609 Author: stlaz Title: #609: [4.4] Fix cookie with Max-Age processing Action: edited Changed field: body Original value: """ When cookie has Max-Age set it tries to get expiration by adding to a timestamp. Without this patch the timestamp would be set to None and thus the addition of timestamp + max_age fails https://pagure.io/freeipa/issue/6718 Reviewed-By: Simo Sorce """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#609][opened] [4.4] Fix cookie with Max-Age processing
URL: https://github.com/freeipa/freeipa/pull/609 Author: stlaz Title: #609: [4.4] Fix cookie with Max-Age processing Action: opened PR body: """ When cookie has Max-Age set it tries to get expiration by adding to a timestamp. Without this patch the timestamp would be set to None and thus the addition of timestamp + max_age fails https://pagure.io/freeipa/issue/6718 Reviewed-By: Simo Sorce """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/609/head:pr609 git checkout pr609 From ff09ec7debf00a690f3a9e1f27891439bd6221c5 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Thu, 2 Mar 2017 09:11:34 +0100 Subject: [PATCH] Fix cookie with Max-Age processing When cookie has Max-Age set it tries to get expiration by adding to a timestamp. Without this patch the timestamp would be set to None and thus the addition of timestamp + max_age fails https://pagure.io/freeipa/issue/6718 Reviewed-By: Simo Sorce --- ipalib/rpc.py | 13 + ipapython/cookie.py | 5 - 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 1c00289..cd14d91 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -699,8 +699,11 @@ def store_session_cookie(self, cookie_header): # Search for the session cookie try: -session_cookie = Cookie.get_named_cookie_from_string(cookie_header, - COOKIE_NAME, request_url) +session_cookie = ( +Cookie.get_named_cookie_from_string( +cookie_header, COOKIE_NAME, request_url, +timestamp=datetime.datetime.utcnow()) +) except Exception as e: root_logger.error("unable to parse cookie header '%s': %s", cookie_header, e) return @@ -794,8 +797,10 @@ def get_session_cookie_from_persistent_storage(self, principal): # Search for the session cookie within the cookie string try: -session_cookie = Cookie.get_named_cookie_from_string(cookie_string, COOKIE_NAME) -except Exception as e: +session_cookie = Cookie.get_named_cookie_from_string( +cookie_string, COOKIE_NAME, +timestamp=datetime.datetime.utcnow()) +except Exception: return None return session_cookie diff --git a/ipapython/cookie.py b/ipapython/cookie.py index 89c3e3c..2831394 100644 --- a/ipapython/cookie.py +++ b/ipapython/cookie.py @@ -320,7 +320,8 @@ def parse(cls, cookie_string, request_url=None): return cookies @classmethod -def get_named_cookie_from_string(cls, cookie_string, cookie_name, request_url=None): +def get_named_cookie_from_string(cls, cookie_string, cookie_name, + request_url=None, timestamp=None): ''' A cookie string may contain multiple cookies, parse the cookie string and return the last cookie in the string matching the @@ -342,6 +343,8 @@ def get_named_cookie_from_string(cls, cookie_string, cookie_name, request_url=No if cookie.key == cookie_name: target_cookie = cookie +if timestamp is not None: +target_cookie.timestamp = timestamp if request_url is not None: target_cookie.normalize(request_url) return target_cookie -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#607][synchronized] Backup ipa-specific httpd unit-file
URL: https://github.com/freeipa/freeipa/pull/607 Author: stlaz Title: #607: Backup ipa-specific httpd unit-file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/607/head:pr607 git checkout pr607 From 6c29861853a8857c3b6b3e1d6a85778e9ed13097 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Thu, 16 Mar 2017 10:22:59 +0100 Subject: [PATCH] Backup ipa-specific httpd unit-file On backup-restore, the ipa unit file for httpd was not backed up. This file however contains setting for httpd to communicate with gssproxy so not backing it up will result in httpd not knowing how to get credentials. https://pagure.io/freeipa/issue/6748 --- ipaserver/install/ipa_backup.py | 1 + ipaserver/install/ipa_restore.py | 2 ++ 2 files changed, 3 insertions(+) diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index 07c50c8..56583c0 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -166,6 +166,7 @@ class Backup(admintool.AdminTool): paths.KDC_CERT, paths.KDC_KEY, paths.SYSTEMD_IPA_SERVICE, +paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, paths.SYSTEMD_SSSD_SERVICE, paths.SYSTEMD_CERTMONGER_SERVICE, paths.SYSTEMD_PKI_TOMCAT_SERVICE, diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index d798654..2552bbd 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -414,6 +414,8 @@ def run(self): sssd = services.service('sssd', api) sssd.restart() http.remove_httpd_ccaches() +# have the daemons pick up their restored configs +run([paths.SYSTEMCTL, "--system", "daemon-reload"]) finally: try: os.chdir(cwd) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file
URL: https://github.com/freeipa/freeipa/pull/607 Title: #607: Backup ipa-specific httpd unit-file stlaz commented: """ We need to perform `paths.SYSTEMCTL --system daemon-reload` here as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/607#issuecomment-287091722 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features
URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: [WIP] Use Custodia 0.3 features MartinBasti commented: """ I assume that this is not WIP anymore then """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-287066488 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#608][edited] tasks: run `systemctl daemon-reload` after httpd.service.d updates
URL: https://github.com/freeipa/freeipa/pull/608 Author: HonzaCholasta Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates Action: edited Changed field: body Original value: """ Run `systemctl daemon-reload` after `/etc/systemd/system/httpd.service.d/ipa.conf` is created or deleted, otherwise systemd will not merge the file into httpd.service and therefore required environment variables will not be set for httpd. This fixes authentication failures ("No valid Negotiate header in server response") due to missing GSS_USE_PROXY=yes in httpd environment. https://pagure.io/freeipa/issue/6773 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#608][synchronized] tasks: run `systemctl daemon-reload` after httpd.service.d updates
URL: https://github.com/freeipa/freeipa/pull/608 Author: HonzaCholasta Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/608/head:pr608 git checkout pr608 From 4f46130eb09c53d8baebee070229312405c618f7 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 16 Mar 2017 12:51:29 + Subject: [PATCH] tasks: run `systemctl daemon-reload` after httpd.service.d updates Run `systemctl daemon-reload` after `/etc/systemd/system/httpd.service.d/ipa.conf` is created or deleted, otherwise systemd will not merge the file into httpd.service and therefore required environment variables will not be set for httpd. This fixes authentication failures ("No valid Negotiate header in server response") due to missing `GSS_USE_PROXY=yes` in httpd environment. https://pagure.io/freeipa/issue/6773 --- ipaplatform/redhat/tasks.py | 7 +++ 1 file changed, 7 insertions(+) diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index c1b574e..d0ef5fb 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -483,6 +483,9 @@ def configure_httpd_service_ipa_conf(self): os.chmod(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, 0o644) self.restore_context(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF) +ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"], +raiseonerr=False) + def configure_http_gssproxy_conf(self): ipautil.copy_template_file( os.path.join(paths.USR_SHARE_IPA_DIR, 'gssproxy.conf.template'), @@ -513,6 +516,10 @@ def remove_httpd_service_ipa_conf(self): 'Error removing %s: %s', paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, e ) +return + +ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"], +raiseonerr=False) def set_hostname(self, hostname): ipautil.run([paths.BIN_HOSTNAMECTL, 'set-hostname', hostname]) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#608][opened] tasks: run `systemctl daemon-reload` after httpd.service.d updates
URL: https://github.com/freeipa/freeipa/pull/608 Author: HonzaCholasta Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates Action: opened PR body: """ Run `systemctl daemon-reload` after `/etc/systemd/system/httpd.service.d/ipa.conf` is created or deleted, otherwise systemd will not merge the file into httpd.service and therefore required environment variables will not be set for httpd. This fixes authentication failures ("No valid Negotiate header in server response") due to missing GSS_USE_PROXY=yes in httpd environment. https://pagure.io/freeipa/issue/6773 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/608/head:pr608 git checkout pr608 From 35bf73a14ccece2113bd3c58aca6943cf5219157 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 16 Mar 2017 12:51:29 + Subject: [PATCH] tasks: run `systemctl daemon-reload` after httpd.service.d updates Run `systemctl daemon-reload` after `/etc/systemd/system/httpd.service.d/ipa.conf` is created or deleted, otherwise systemd will not merge the file into httpd.service and therefore required environment variables will not be set for httpd. This fixes authentication failures ("No valid Negotiate header in server response") due to missing GSS_USE_PROXY=yes in httpd environment. https://pagure.io/freeipa/issue/6773 --- ipaplatform/redhat/tasks.py | 7 +++ 1 file changed, 7 insertions(+) diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index c1b574e..d0ef5fb 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -483,6 +483,9 @@ def configure_httpd_service_ipa_conf(self): os.chmod(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, 0o644) self.restore_context(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF) +ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"], +raiseonerr=False) + def configure_http_gssproxy_conf(self): ipautil.copy_template_file( os.path.join(paths.USR_SHARE_IPA_DIR, 'gssproxy.conf.template'), @@ -513,6 +516,10 @@ def remove_httpd_service_ipa_conf(self): 'Error removing %s: %s', paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, e ) +return + +ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"], +raiseonerr=False) def set_hostname(self, hostname): ipautil.run([paths.BIN_HOSTNAMECTL, 'set-hostname', hostname]) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching martbab commented: """ master: * 4ee7e4ee6d6500d8b8935c9033388adc4cdbe672 Add options to allow ticket caching """ See the full comment at https://github.com/freeipa/freeipa/pull/543#issuecomment-287038542 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][closed] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][+pushed] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching martbab commented: """ I think that we have all dependencies in spec already so I do not see a reason not to. """ See the full comment at https://github.com/freeipa/freeipa/pull/543#issuecomment-287038339 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][+ack] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#607][synchronized] Backup ipa-specific httpd unit-file
URL: https://github.com/freeipa/freeipa/pull/607 Author: stlaz Title: #607: Backup ipa-specific httpd unit-file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/607/head:pr607 git checkout pr607 From 657ac1620da3982a497b598b737b59935e6d7a58 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Thu, 16 Mar 2017 10:22:59 +0100 Subject: [PATCH] Backup ipa-specific httpd unit-file On backup-restore, the ipa unit file for httpd was not backed up. This file however contains setting for httpd to communicate with gssproxy so not backing it up will result in httpd not knowing how to get credentials. The kdcproxy configuration symlink to enable kdcproxy was missing as well, adding it on top of it. https://pagure.io/freeipa/issue/6748 --- ipaserver/install/ipa_backup.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index 07c50c8..56583c0 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -166,6 +166,7 @@ class Backup(admintool.AdminTool): paths.KDC_CERT, paths.KDC_KEY, paths.SYSTEMD_IPA_SERVICE, +paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, paths.SYSTEMD_SSSD_SERVICE, paths.SYSTEMD_CERTMONGER_SERVICE, paths.SYSTEMD_PKI_TOMCAT_SERVICE, -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file
URL: https://github.com/freeipa/freeipa/pull/607 Title: #607: Backup ipa-specific httpd unit-file stlaz commented: """ Ah, right. """ See the full comment at https://github.com/freeipa/freeipa/pull/607#issuecomment-287032822 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file
URL: https://github.com/freeipa/freeipa/pull/607 Title: #607: Backup ipa-specific httpd unit-file tiran commented: """ The symlink is generated by a script when httpd is started. """ See the full comment at https://github.com/freeipa/freeipa/pull/607#issuecomment-287029814 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#607][synchronized] Backup ipa-specific httpd unit-file
URL: https://github.com/freeipa/freeipa/pull/607 Author: stlaz Title: #607: Backup ipa-specific httpd unit-file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/607/head:pr607 git checkout pr607 From d684e43ffc9a3ca8411cad6b63348b30ed7ed2e5 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Thu, 16 Mar 2017 10:22:59 +0100 Subject: [PATCH] Backup ipa-specific httpd unit-file On backup-restore, the ipa unit file for httpd was not backed up. This file however contains setting for httpd to communicate with gssproxy so not backing it up will result in httpd not knowing how to get credentials. The kdcproxy configuration symlink to enable kdcproxy was missing as well, adding it on top of it. https://pagure.io/freeipa/issue/6748 --- ipaserver/install/ipa_backup.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index 07c50c8..ed3fcf8 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -144,6 +144,7 @@ class Backup(admintool.AdminTool): paths.HTTPD_PASSWORD_CONF, paths.HTTP_KEYTAB, paths.HTTPD_IPA_KDCPROXY_CONF, +paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK, paths.HTTPD_IPA_PKI_PROXY_CONF, paths.HTTPD_IPA_REWRITE_CONF, paths.HTTPD_NSS_CONF, @@ -166,6 +167,7 @@ class Backup(admintool.AdminTool): paths.KDC_CERT, paths.KDC_KEY, paths.SYSTEMD_IPA_SERVICE, +paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, paths.SYSTEMD_SSSD_SERVICE, paths.SYSTEMD_CERTMONGER_SERVICE, paths.SYSTEMD_PKI_TOMCAT_SERVICE, -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file
URL: https://github.com/freeipa/freeipa/pull/607 Title: #607: Backup ipa-specific httpd unit-file stlaz commented: """ Thanks, @tiran, this is a good idea, I noticed also KDCProxy conf symlink was missing. """ See the full comment at https://github.com/freeipa/freeipa/pull/607#issuecomment-287029314 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From 2b309c896728f188959c022635ff131347e2f266 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Ticket: https://pagure.io/freeipa/issue/6771 Signed-off-by: Simo Sorce --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching simo5 commented: """ @MartinBasti can we push this ? It makes a big difference in framework performance and load on the KDC """ See the full comment at https://github.com/freeipa/freeipa/pull/543#issuecomment-287024418 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From d2c6121af9b4b366d0ff954a59f9a4917c634fc8 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Ticket: https://pagure.io/freeipa/issue/6656 Signed-off-by: Simo Sorce --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file
URL: https://github.com/freeipa/freeipa/pull/607 Title: #607: Backup ipa-specific httpd unit-file tiran commented: """ LGTM Did you check if there are more files missing after backup, uninstall, restore? You could use ```find /etc /usr /var >before_uninstall``` before uninstall and after restore, then compare the files with diff. """ See the full comment at https://github.com/freeipa/freeipa/pull/607#issuecomment-287009174 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#604][closed] [4.5] Set zanata version to ipa-4-5
URL: https://github.com/freeipa/freeipa/pull/604 Author: MartinBasti Title: #604: [4.5] Set zanata version to ipa-4-5 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/604/head:pr604 git checkout pr604 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#604][+pushed] [4.5] Set zanata version to ipa-4-5
URL: https://github.com/freeipa/freeipa/pull/604 Title: #604: [4.5] Set zanata version to ipa-4-5 Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#604][comment] [4.5] Set zanata version to ipa-4-5
URL: https://github.com/freeipa/freeipa/pull/604 Title: #604: [4.5] Set zanata version to ipa-4-5 pvomacka commented: """ ipa-4-5: * a1f2754f18f93752f97d14168b74fb0f299d795d Set zanata version to ipa-4-5 """ See the full comment at https://github.com/freeipa/freeipa/pull/604#issuecomment-287004757 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#605][closed] Set development version to 4.5.90
URL: https://github.com/freeipa/freeipa/pull/605 Author: MartinBasti Title: #605: Set development version to 4.5.90 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/605/head:pr605 git checkout pr605 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#605][comment] Set development version to 4.5.90
URL: https://github.com/freeipa/freeipa/pull/605 Title: #605: Set development version to 4.5.90 pvomacka commented: """ master: * 9ac62bec44b642838cbb175d94efd90acb417ecc Set development version to 4.5.90 """ See the full comment at https://github.com/freeipa/freeipa/pull/605#issuecomment-287004023 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#605][+pushed] Set development version to 4.5.90
URL: https://github.com/freeipa/freeipa/pull/605 Title: #605: Set development version to 4.5.90 Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#607][opened] Backup ipa-specific httpd unit-file
URL: https://github.com/freeipa/freeipa/pull/607 Author: stlaz Title: #607: Backup ipa-specific httpd unit-file Action: opened PR body: """ On backup-restore, the ipa unit file for httpd was not backed up. This file however contains setting for httpd to communicate with gssproxy so not backing it up will result in httpd not knowing how to get credentials. https://pagure.io/freeipa/issue/6748 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/607/head:pr607 git checkout pr607 From 510da02a1e78ae9571c72ef538edff8174f30efe Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Thu, 16 Mar 2017 10:22:59 +0100 Subject: [PATCH] Backup ipa-specific httpd unit-file On backup-restore, the ipa unit file for httpd was not backed up. This file however contains setting for httpd to communicate with gssproxy so not backing it up will result in httpd not knowing how to get credentials. https://pagure.io/freeipa/issue/6748 --- ipaserver/install/ipa_backup.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index 07c50c8..56583c0 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -166,6 +166,7 @@ class Backup(admintool.AdminTool): paths.KDC_CERT, paths.KDC_KEY, paths.SYSTEMD_IPA_SERVICE, +paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, paths.SYSTEMD_SSSD_SERVICE, paths.SYSTEMD_CERTMONGER_SERVICE, paths.SYSTEMD_PKI_TOMCAT_SERVICE, -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#379][-postponed] Packaging: Add IPA commands package
URL: https://github.com/freeipa/freeipa/pull/379 Title: #379: Packaging: Add IPA commands package Label: -postponed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#379][edited] Packaging: Add IPA commands package
URL: https://github.com/freeipa/freeipa/pull/379 Author: tiran Title: #379: Packaging: Add IPA commands package Action: edited Changed field: title Original value: """ Packaging: Add placeholder and IPA commands packages """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#379][synchronized] Packaging: Add placeholder and IPA commands packages
URL: https://github.com/freeipa/freeipa/pull/379 Author: tiran Title: #379: Packaging: Add placeholder and IPA commands packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/379/head:pr379 git checkout pr379 From 380b2df4fded9ca2848853b5741b409ae58a58d4 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 16 Feb 2017 15:27:49 +0100 Subject: [PATCH] Packaging: Add IPA commands package The ipacommands package contains ipa-getkeytab and ipa-rmkeytab for installation in a virtual env. The programs are compiled with distutils / setuptools. https://fedorahosted.org/freeipa/ticket/6484 Signed-off-by: Christian Heimes --- .gitignore | 7 ++ Makefile.am | 6 +- configure.ac | 1 + pypi/Makefile.am | 1 + pypi/ipacommands/MANIFEST.in | 25 ++ pypi/ipacommands/Makefile.am | 79 ++ pypi/ipacommands/setup.cfg | 5 ++ pypi/ipacommands/setup.py| 194 +++ 8 files changed, 317 insertions(+), 1 deletion(-) create mode 100644 pypi/ipacommands/MANIFEST.in create mode 100644 pypi/ipacommands/Makefile.am create mode 100644 pypi/ipacommands/setup.cfg create mode 100644 pypi/ipacommands/setup.py diff --git a/.gitignore b/.gitignore index 7e78a93..2e82174 100644 --- a/.gitignore +++ b/.gitignore @@ -113,3 +113,10 @@ freeipa2-dev-doc /ipaplatform/paths.py /ipaplatform/services.py /ipaplatform/tasks.py + +/pypi/ipacommands/COPYING +/pypi/ipacommands/Contributors.txt +/pypi/ipacommands/asn1 +/pypi/ipacommands/client +/pypi/ipacommands/ipasetup.py +/pypi/ipacommands/util diff --git a/Makefile.am b/Makefile.am index df4e05a..068eefb 100644 --- a/Makefile.am +++ b/Makefile.am @@ -228,12 +228,16 @@ $(WHEELBUNDLEDIR): mkdir -p $(WHEELBUNDLEDIR) bdist_wheel: $(WHEELDISTDIR) + $(MAKE) $(AM_MAKEFLAGS) -C pypi/ipacommands sdist || exit 1; for dir in $(IPACLIENT_SUBDIRS); do \ $(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \ done wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel - $(PYTHON) -m pip wheel --wheel-dir $(WHEELBUNDLEDIR) $(WHEELDISTDIR)/*.whl + $(PYTHON) -m pip wheel \ + --wheel-dir $(WHEELBUNDLEDIR) \ + $(WHEELDISTDIR)/*.whl \ + $(WHEELDISTDIR)/*.tar.gz wheel_placeholder: $(WHEELDISTDIR) for dir in $(IPA_PLACEHOLDERS); do \ diff --git a/configure.ac b/configure.ac index 2d84426..f3ff64f 100644 --- a/configure.ac +++ b/configure.ac @@ -538,6 +538,7 @@ AC_CONFIG_FILES([ pypi/Makefile pypi/freeipa/Makefile pypi/ipa/Makefile +pypi/ipacommands/Makefile pypi/ipaplatform/Makefile pypi/ipaserver/Makefile pypi/ipatests/Makefile diff --git a/pypi/Makefile.am b/pypi/Makefile.am index 5d8be9c..be572c6 100644 --- a/pypi/Makefile.am +++ b/pypi/Makefile.am @@ -7,6 +7,7 @@ NULL = SUBDIRS = \ freeipa \ ipa\ + ipacommands \ ipaplatform \ ipaserver \ ipatests \ diff --git a/pypi/ipacommands/MANIFEST.in b/pypi/ipacommands/MANIFEST.in new file mode 100644 index 000..659a1f5 --- /dev/null +++ b/pypi/ipacommands/MANIFEST.in @@ -0,0 +1,25 @@ +include asn1/*.c +include asn1/*.h +include asn1/asn1c/*.c +include asn1/asn1c/*.h +include asn1/asn1c/ipa.asn1 + +include client/config.c +include client/config.h +include client/ipa-client-common.c +include client/ipa-client-common.h +include client/ipa-getkeytab.c +include client/ipa-join.c +include client/ipa-rmkeytab.c + +include util/ipa_krb5.c +include util/ipa_krb5.h + +prune client/asn1 +prune client/client +prune client/util + +include Contributors.txt COPYING +include config.h +include ipasetup.py +include setup.cfg diff --git a/pypi/ipacommands/Makefile.am b/pypi/ipacommands/Makefile.am new file mode 100644 index 000..645ce7a --- /dev/null +++ b/pypi/ipacommands/Makefile.am @@ -0,0 +1,79 @@ +# This file will be processed with automake-1.7 to create Makefile.in +# +AUTOMAKE_OPTIONS = 1.7 + +NULL = + +pkgname = $(shell basename "$(abs_srcdir)") + +# hack to handle back-in-the-hierarchy depedency on ipasetup.py +.PHONY: $(top_builddir)/ipasetup.py +$(top_builddir)/ipasetup.py: + (cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) ipasetup.py) + +DEPENDENCIES = \ + asn1\ + client\ + util\ + COPYING\ + Contributors.txt \ + config.h \ + ipasetup.py \ + $(NULL) + +# Python setup.py can handle symlinks to directories fine +asn1: $(top_srcdir)/asn1 + if [ ! -e "$@" ]; then ln -rs "$<"; fi + +client: $(top_srcdir)/client + if [ ! -e "$@" ]; then ln -rs "$<"; fi + +util: $(top_srcdir)/util + if [ ! -e "$@" ]; then ln -rs "$<"; fi + +# On the other hand files must be copied to create proper sdist +COPYING: $(top_srcdir)/COPYING + cp -p "$<" "$@" + +Contributors.txt: $(top_srcdir)/Contributors.txt + cp -p "$<" "$@" + +ipasetup.py: $(top_builddir)/ipasetup.py + cp -p "$<" "$@" + +config.h: $(top_builddir)/config.h + cp -p "$<" "$@" + + +all-local: $(DEPENDENCIES) +
[Freeipa-devel] [freeipa PR#606][opened] [ipa-4-4] ipa-kdb: support KDB DAL version 6.1
URL: https://github.com/freeipa/freeipa/pull/606 Author: tomaskrizek Title: #606: [ipa-4-4] ipa-kdb: support KDB DAL version 6.1 Action: opened PR body: """ Rebased patch for ipa-4-4. It's already in F26/rawhide. Oiginal PR: #410 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/606/head:pr606 git checkout pr606 From 6997574dcb84d92126d5517a5454520143e81e1a Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 24 Jan 2017 11:02:30 +0200 Subject: [PATCH] ipa-kdb: support KDB DAL version 6.1 DAL version 6.0 removed support for a callback to free principal. This broke KDB drivers which had complex e_data structure within the principal structure. As result, FreeIPA KDB driver was leaking memory with DAL version 6.0 (krb5 1.15). DAL version 6.1 added a special callback for freeing e_data structure. See details at krb5/krb5#596 Restructure KDB driver code to provide this callback in case we are built against DAL version that supports it. For DAL version prior to 6.0 use this callback in the free_principal callback to tidy the code. Use explicit KDB version dependency in Fedora 26+ via BuildRequires. With new DAL version, freeipa package will fail to build and we'll have to add a support for new DAL version explicitly. https://fedorahosted.org/freeipa/ticket/6619 --- daemons/configure.ac | 21 ++ daemons/ipa-kdb/ipa_kdb.c| 140 +-- daemons/ipa-kdb/ipa_kdb.h| 2 + daemons/ipa-kdb/ipa_kdb_principals.c | 42 ++- freeipa.spec.in | 9 +++ 5 files changed, 157 insertions(+), 57 deletions(-) diff --git a/daemons/configure.ac b/daemons/configure.ac index 5c5a104..77a3be0 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -66,6 +66,27 @@ AC_SUBST(KRB5_LIBS) AC_SUBST(KRAD_LIBS) AC_SUBST(krb5rundir) +AC_CHECK_HEADER(kdb.h, [], [AC_MSG_ERROR([kdb.h not found])]) +AC_CHECK_MEMBER( + [kdb_vftabl.free_principal], + [AC_DEFINE([HAVE_KDB_FREEPRINCIPAL], [1], + [KDB driver API has free_principal callback])], + [AC_MSG_NOTICE([KDB driver API has no free_principal callback])], + [[#include ]]) +AC_CHECK_MEMBER( + [kdb_vftabl.free_principal_e_data], + [AC_DEFINE([HAVE_KDB_FREEPRINCIPAL_EDATA], [1], + [KDB driver API has free_principal_e_data callback])], + [AC_MSG_NOTICE([KDB driver API has no free_principal_e_data callback])], + [[#include ]]) + +if test "x$ac_cv_member_kdb_vftabl_free_principal" = "xno" \ + -a "x$ac_cv_member_kdb_vftable_free_principal_e_data" = "xno" ; then +AC_MSG_WARN([KDB driver API does not allow to free Kerberos principal data.]) +AC_MSG_WARN([KDB driver will leak memory on Kerberos principal use]) +AC_MSG_WARN([See https://github.com/krb5/krb5/pull/596 for details]) +fi + dnl --- dnl - Check for Mozilla LDAP and OpenLDAP SDK dnl --- diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index fbcb03b..e74ab56 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -625,45 +625,107 @@ static void ipadb_free(krb5_context context, void *ptr) /* KDB Virtual Table */ +/* We explicitly want to keep different ABI tables below separate. */ +/* Do not merge them together. Older ABI does not need to be updated */ + +#if KRB5_KDB_DAL_MAJOR_VERSION == 5 +kdb_vftabl kdb_function_table = { +.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, +.min_ver = 0, +.init_library = ipadb_init_library, +.fini_library = ipadb_fini_library, +.init_module = ipadb_init_module, +.fini_module = ipadb_fini_module, +.create = ipadb_create, +.get_age = ipadb_get_age, +.get_principal = ipadb_get_principal, +.free_principal = ipadb_free_principal, +.put_principal = ipadb_put_principal, +.delete_principal = ipadb_delete_principal, +.iterate = ipadb_iterate, +.create_policy = ipadb_create_pwd_policy, +.get_policy = ipadb_get_pwd_policy, +.put_policy = ipadb_put_pwd_policy, +.iter_policy = ipadb_iterate_pwd_policy, +.delete_policy = ipadb_delete_pwd_policy, +.free_policy = ipadb_free_pwd_policy, +.alloc = ipadb_alloc, +.free = ipadb_free, +.fetch_master_key = ipadb_fetch_master_key, +.store_master_key_list = ipadb_store_master_key_list, +.change_pwd = ipadb_change_pwd, +.sign_authdata = ipadb_sign_authdata, +.check_transited_realms = ipadb_check_transited_realms, +.check_policy_as = ipadb_check_policy_as, +.audit_as_req = ipadb_audit_as_req, +.check_allowed_to_delegate = ipadb_check_allowed_to_delegate +}; +#endif + +#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA) kdb_vftabl kdb_function_table = { -KRB5_KDB_DAL_MAJOR_VERSION, /* major version number */ -0,
[Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features
URL: https://github.com/freeipa/freeipa/pull/517 Title: #517: [WIP] Use Custodia 0.3 features tiran commented: """ This PR must be merged into 4.5 ASAP. Without the fix it is not possible to define proper SELinux policies for ipa-custodia and stand-alone custodia. """ See the full comment at https://github.com/freeipa/freeipa/pull/517#issuecomment-286993273 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#604][+ack] [4.5] Set zanata version to ipa-4-5
URL: https://github.com/freeipa/freeipa/pull/604 Title: #604: [4.5] Set zanata version to ipa-4-5 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#605][+ack] Set development version to 4.5.90
URL: https://github.com/freeipa/freeipa/pull/605 Title: #605: Set development version to 4.5.90 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code