[Freeipa-devel] [freeipa PR#672][comment] IPA-KDB: use relative path in ipa-certmap config snippet
URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet abbra commented: """ > @sumit-bose What happens when the shared library is missing? Does 32bit kinit > fail or work on a X86_64 system when 32bit ipadb.so is missing? It is not about kinit. The module is for KDC, not client side. We guarantee it exists because we install it. """ See the full comment at https://github.com/freeipa/freeipa/pull/672#issuecomment-290317784 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#672][comment] IPA-KDB: use relative path in ipa-certmap config snippet
URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet tiran commented: """ LGTM For the recording: according to https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#plugins the plugin directive uses ```plugin_base_dir``` as base dir: > module > This tag may have multiple values. Each value is a string of the form > modulename:pathname, which causes the shared object located at pathname to be > registered as a dynamic module named modulename for the pluggable interface. > If pathname is not an absolute path, it will be treated as relative to the > plugin_base_dir value from [libdefaults]. > plugin_base_dir > If set, determines the base directory where krb5 plugins are located. The > default value is the krb5/plugins subdirectory of the krb5 library directory. @sumit-bose What happens when the shared library is missing? Does 32bit kinit fail or work on a X86_64 system when 32bit ipadb.so is missing? """ See the full comment at https://github.com/freeipa/freeipa/pull/672#issuecomment-290312805 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#480][comment] Hide request_type doc string in cert-request help
URL: https://github.com/freeipa/freeipa/pull/480 Title: #480: Hide request_type doc string in cert-request help Akasurde commented: """ Bump for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/480#issuecomment-290289355 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#621][synchronized] Add --password-expiration to allow an admin to force a password change
URL: https://github.com/freeipa/freeipa/pull/621
Author: redhatrises
Title: #621: Add --password-expiration to allow an admin to force a password
change
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/621/head:pr621
git checkout pr621
From e0f30753a461f3c05401f49a235e18f4610fe426 Mon Sep 17 00:00:00 2001
From: Gabe
Date: Wed, 29 Mar 2017 20:34:08 -0600
Subject: [PATCH] Add --password-expiration to allow admin to force user
password expiration
- Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future
---
ACI.txt | 2 +-
API.txt | 18 --
VERSION.m4| 4 ++--
install/updates/20-aci.update | 3 ++-
ipalib/parameters.py | 16 ++--
ipaserver/plugins/baseuser.py | 4
ipaserver/plugins/user.py | 2 +-
7 files changed, 32 insertions(+), 17 deletions(-)
diff --git a/ACI.txt b/ACI.txt
index 9c7996c..185812a 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -351,7 +351,7 @@ aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "ipacertmapdata || objectclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User Certificate Mappings";allow (write) groupdn = "ldap:///cn=System: Manage User Certificate Mappings,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
diff --git a/API.txt b/API.txt
index 7594157..7850538 100644
--- a/API.txt
+++ b/API.txt
@@ -4828,7 +4828,7 @@ output: Entry('result')
output: Output('summary', type=[, ])
output: PrimaryKey('value')
command: stageuser_add/1
-args: 1,44,3
+args: 1,45,3
arg: Str('uid', cli_name='login')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -4849,6 +4849,7 @@ option: Str('ipasshpubkey*', cli_name='sshpubkey')
option: Str('ipatokenradiusconfiglink?', cli_name='radius')
option: Str('ipatokenradiususername?', cli_name='radius_username')
option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
+option: DateTime('krbpasswordexpiration?', cli_name='password_expiration')
option: DateTime('krbprincipalexpiration?', cli_name='principal_expiration')
option: Principal('krbprincipalname*', autofill=True, cli_name='principal')
option: Str('l?', cli_name='city')
@@ -4933,7 +4934,7 @@ output: Output('result', type=[])
output: Output('summary', type=[, ])
output: ListOfPrimaryKeys('value')
command: stageuser_find/1
-args: 1,53,4
+args: 1,54,4
arg: Str('criteria?')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('carlicense*', autofill=False)
@@ -4956,6 +4957,7 @@ option: Str('initials?', autofill=False)
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
+option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration')
option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration')
option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
option: Str('l?', autofill=False, cli_name='city')
@@ -4993,7 +4995,7 @@ output: ListOfEntries('result')
output: Output('summary', type=[, ])
output: Output('truncated', type=[])
command: stageuser_mod/1
-args: 1,46,3
+args: 1,47,3
arg: Str('uid', cli_name='login')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
@@
[Freeipa-devel] [freeipa PR#490][comment] certdb: use certutil and match_hostname for cert verification
URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: certdb: use certutil and match_hostname for cert verification tiran commented: """ Your PR is going to remove the last import from python-nss. Awesome! Please remove the requirement from ```ipapython/setup.py``` and ```freeipa.spec.in```, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/490#issuecomment-290204064 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#636][+ack] [Py3] Fix ipatests.util doc tests
URL: https://github.com/freeipa/freeipa/pull/636 Title: #636: [Py3] Fix ipatests.util doc tests Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#675][synchronized] [WIP] Fix PKCS11 helper
URL: https://github.com/freeipa/freeipa/pull/675
Author: MartinBasti
Title: #675: [WIP] Fix PKCS11 helper
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/675/head:pr675
git checkout pr675
From 49724f4c5e85f5b6cf206ab3c5a8651fe38bd97a Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 29 Mar 2017 18:53:11 +0200
Subject: [PATCH] Fix PKCS11 helper
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.
Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).
Changelog:
* created method get_slot() that returns slot number from
used label
* replaces usage of slot in __init__ method of P11_Helper
with label
* slot is dynamically detected from token label before
session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
which uses first free slot (we don't care about slot numbers
anymore)
https://pagure.io/freeipa/issue/6692
---
ipalib/constants.py | 2 +
ipaserver/install/dnskeysyncinstance.py | 8 ++--
ipaserver/install/opendnssecinstance.py | 7 ++-
ipaserver/p11helper.py | 76 +++--
4 files changed, 81 insertions(+), 12 deletions(-)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index f8a194c..e604bb4 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -313,3 +313,5 @@
'.cache'
)
)
+
+SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC'
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 861a170..8817f25 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -23,9 +23,9 @@
from ipaplatform.constants import constants
from ipaplatform.paths import paths
from ipalib import errors, api
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipaserver.install.bindinstance import dns_container_exists
-softhsm_token_label = u'ipaDNSSEC'
softhsm_slot = 0
replica_keylabel_template = u"dnssec-replica:%s"
@@ -254,8 +254,8 @@ def __setup_softhsm(self):
command = [
paths.SOFTHSM2_UTIL,
'--init-token',
-'--slot', str(softhsm_slot),
-'--label', softhsm_token_label,
+'--free', # use random free slot
+'--label', SOFTHSM_DNSSEC_TOKEN_LABEL,
'--pin', pin,
'--so-pin', pin_so,
]
@@ -274,7 +274,7 @@ def __setup_replica_keys(self):
pin = f.read()
os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF
-p11 = _ipap11helper.P11_Helper(softhsm_slot, pin, paths.LIBSOFTHSM2_SO)
+p11 = _ipap11helper.P11_Helper(SOFTHSM_DNSSEC_TOKEN_LABEL, pin, paths.LIBSOFTHSM2_SO)
try:
# generate replica keypair
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 467f1f0..2af4d29 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -20,10 +20,9 @@
from ipaplatform.paths import paths
from ipalib import errors, api
from ipaserver import p11helper
-from ipaserver.install import dnskeysyncinstance
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
KEYMASTER = u'dnssecKeyMaster'
-softhsm_slot = 0
def get_dnssec_key_masters(conn):
@@ -68,7 +67,7 @@ def __init__(self, fstore=None):
self.ods_gid = None
self.conf_file_dict = {
'SOFTHSM_LIB': paths.LIBSOFTHSM2_SO,
-'TOKEN_LABEL': dnskeysyncinstance.softhsm_token_label,
+'TOKEN_LABEL': SOFTHSM_DNSSEC_TOKEN_LABEL,
'KASP_DB': paths.OPENDNSSEC_KASP_DB,
'ODS_USER': constants.ODS_USER,
'ODS_GROUP': constants.ODS_GROUP,
@@ -237,7 +236,7 @@ def __generate_master_key(self):
pin = f.read()
os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF
-p11 = p11helper.P11_Helper(softhsm_slot, pin, paths.LIBSOFTHSM2_SO)
+p11 = p11helper.P11_Helper(SOFTHSM_DNSSEC_TOKEN_LABEL, pin, paths.LIBSOFTHSM2_SO)
try:
# generate master key
root_logger.debug("Creating master key")
diff --git a/ipaserver/p11helper.py b/ipaserver/p11helper.py
index 5963c6d..8d596bd 100644
--- a/ipaserver/p11helper.py
+++ b/ipaserver/p11helper.py
@@ -43,6 +43,8 @@
typedef unsigned long CK_ATTRIBUTE_TYPE;
+typedef unsigned long ck_flags_t;
+
struct _CK_ATTRIBUTE
{
CK_ATTRIBUTE_TYPE type;
@@ -253,6 +255,28 @@
CK_C_WaitForSlotEvent C_WaitForSlotEvent;
};
+struct ck_token_info
+{
+ unsigned char label[32];
+ unsigned char manufacturer_id[32];
+ unsigned char model[16];
+ unsigned char serial_number[16];
+ ck_flags_t flags;
+ unsigned long max_session_count;
+ unsigned long session_count;
+ unsigned long max_rw_session_count;
+ unsigned long rw_session_count;
+ unsig
[Freeipa-devel] [bind-dyndb-ldap PR#12][comment] README.md: fix markdown formatting
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/12 Title: #12: README.md: fix markdown formatting MartinBasti commented: """ ACK """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/12#issuecomment-290162668 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#675][opened] [WIP] Fix PKCS11 helper
URL: https://github.com/freeipa/freeipa/pull/675
Author: MartinBasti
Title: #675: [WIP] Fix PKCS11 helper
Action: opened
PR body:
"""
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.
Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).
Changelog:
* created method get_slot() that returns slot number from
used label
* replaces usage of slot in __init__ method of P11_Helper
with label
* slot is dynamically detected from token label before
session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
which uses first free slot (we don't care about slot numbers
anymore)
https://pagure.io/freeipa/issue/6692
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/675/head:pr675
git checkout pr675
From 8295a9a504fe8a7b0c3bd6c24697fcd0c2358a82 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 29 Mar 2017 18:53:11 +0200
Subject: [PATCH] Fix PKCS11 helper
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.
Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).
Changelog:
* created method get_slot() that returns slot number from
used label
* replaces usage of slot in __init__ method of P11_Helper
with label
* slot is dynamically detected from token label before
session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
which uses first free slot (we don't care about slot numbers
anymore)
https://pagure.io/freeipa/issue/6692
---
ipalib/constants.py | 2 ++
ipaserver/install/dnskeysyncinstance.py | 8 +++---
ipaserver/install/opendnssecinstance.py | 7 ++---
ipaserver/p11helper.py | 50 ++---
4 files changed, 55 insertions(+), 12 deletions(-)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index f8a194c..e604bb4 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -313,3 +313,5 @@
'.cache'
)
)
+
+SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC'
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 861a170..8817f25 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -23,9 +23,9 @@
from ipaplatform.constants import constants
from ipaplatform.paths import paths
from ipalib import errors, api
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipaserver.install.bindinstance import dns_container_exists
-softhsm_token_label = u'ipaDNSSEC'
softhsm_slot = 0
replica_keylabel_template = u"dnssec-replica:%s"
@@ -254,8 +254,8 @@ def __setup_softhsm(self):
command = [
paths.SOFTHSM2_UTIL,
'--init-token',
-'--slot', str(softhsm_slot),
-'--label', softhsm_token_label,
+'--free', # use random free slot
+'--label', SOFTHSM_DNSSEC_TOKEN_LABEL,
'--pin', pin,
'--so-pin', pin_so,
]
@@ -274,7 +274,7 @@ def __setup_replica_keys(self):
pin = f.read()
os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF
-p11 = _ipap11helper.P11_Helper(softhsm_slot, pin, paths.LIBSOFTHSM2_SO)
+p11 = _ipap11helper.P11_Helper(SOFTHSM_DNSSEC_TOKEN_LABEL, pin, paths.LIBSOFTHSM2_SO)
try:
# generate replica keypair
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 467f1f0..2af4d29 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -20,10 +20,9 @@
from ipaplatform.paths import paths
from ipalib import errors, api
from ipaserver import p11helper
-from ipaserver.install import dnskeysyncinstance
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
KEYMASTER = u'dnssecKeyMaster'
-softhsm_slot = 0
def get_dnssec_key_masters(conn):
@@ -68,7 +67,7 @@ def __init__(self, fstore=None):
self.ods_gid = None
self.conf_file_dict = {
'SOFTHSM_LIB': paths.LIBSOFTHSM2_SO,
-'TOKEN_LABEL': dnskeysyncinstance.softhsm_token_label,
+'TOKEN_LABEL': SOFTHSM_DNSSEC_TOKEN_LABEL,
'KASP_DB': paths.OPENDNSSEC_KASP_DB,
'ODS_USER': constants.ODS_USER,
'ODS_GROUP': constants.ODS_GROUP,
@@ -237,7 +236,7 @@ def __generate_master_key(self):
pin = f.read()
os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF
-p11 = p11helper.P11_Helper(softhsm_slot, pin, paths.LIBSOFTHSM2_SO)
+p11 = p11helper.P11_Helper(SOFTHSM_DNSSEC_TOKEN_LABEL, pin, paths.LIBSOFTHSM2_SO)
try:
# generate master key
root_logger.debug("Creating master key")
diff --git a/ipaserver/p11helper.py b/ipaserver/p11helper.py
index 5963c6d..0ad858
Re: [Freeipa-devel] Issue connecting through Clients
On ke, 29 maalis 2017, Bradley Bishop wrote: Hello all, I have an IPA setup with AD and DNS resides on AD and am having issues authenticating with my clients. Getting the Following error on my Clients: (Wed Mar 29 09:22:33 2017) [sssd[be[ipa.brad.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/bradltest3.brad.local Your IPA domain is ipa.brad.local, your host name is bradltest3.brad.local, e.g. it is not in IPA domain. It looks like your IPA client machine is in the AD DNS domain. You should read http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/ and http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain to understand what nightmare you are inflicting yourself into. ;) -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#674][opened] Replace hard-coded kdcproxy path with WSGI script
URL: https://github.com/freeipa/freeipa/pull/674
Author: tiran
Title: #674: Replace hard-coded kdcproxy path with WSGI script
Action: opened
PR body:
"""
mod_wsgi has no way to import a WSGI module by dotted module name. A new
kdcproxy.wsgi script is used to import kdcproxy from whatever Python
version mod_wsgi is compiled against. This will simplify moving FreeIPA
to Python 3 and solves an import problem on Debian.
Resolves: https://pagure.io/freeipa/issue/6834
Signed-off-by: Christian Heimes
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/674/head:pr674
git checkout pr674
From c10b628ecc6ef9759300ad96d065566c5e3ca94d Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Wed, 29 Mar 2017 17:58:47 +0200
Subject: [PATCH] Replace hard-coded kdcproxy path with WSGI script
mod_wsgi has no way to import a WSGI module by dotted module name. A new
kdcproxy.wsgi script is used to import kdcproxy from whatever Python
version mod_wsgi is compiled against. This will simplify moving FreeIPA
to Python 3 and solves an import problem on Debian.
Resolves: https://pagure.io/freeipa/issue/6834
Signed-off-by: Christian Heimes
---
freeipa.spec.in | 1 +
install/conf/ipa-kdc-proxy.conf.template | 4 ++--
install/share/Makefile.am| 1 +
install/share/kdcproxy.wsgi | 5 +
4 files changed, 9 insertions(+), 2 deletions(-)
create mode 100644 install/share/kdcproxy.wsgi
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 829c3f0..d606996 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1256,6 +1256,7 @@ fi
# END
%dir %{_usr}/share/ipa
%{_usr}/share/ipa/wsgi.py*
+%{_usr}/share/ipa/kdcproxy.wsgi
%{_usr}/share/ipa/*.ldif
%{_usr}/share/ipa/*.uldif
%{_usr}/share/ipa/*.template
diff --git a/install/conf/ipa-kdc-proxy.conf.template b/install/conf/ipa-kdc-proxy.conf.template
index 9290ceb..6721219 100644
--- a/install/conf/ipa-kdc-proxy.conf.template
+++ b/install/conf/ipa-kdc-proxy.conf.template
@@ -16,9 +16,9 @@
WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=5000 \
user=kdcproxy group=kdcproxy display-name=%{GROUP}
-WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \
+WSGIImportScript /usr/share/ipa/kdcproxy.wsgi \
process-group=kdcproxy application-group=kdcproxy
-WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py
+WSGIScriptAlias /KdcProxy /usr/share/ipa/kdcproxy.wsgi
WSGIScriptReloading Off
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 9e539a3..3a34f6e 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -90,6 +90,7 @@ dist_app_DATA =\
gssapi.login \
ipa.conf.tmpfiles \
gssproxy.conf.template \
+ kdcproxy.wsgi \
$(NULL)
kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
diff --git a/install/share/kdcproxy.wsgi b/install/share/kdcproxy.wsgi
new file mode 100644
index 000..be1693c
--- /dev/null
+++ b/install/share/kdcproxy.wsgi
@@ -0,0 +1,5 @@
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
+"""WSGI entry point for kdcproxy
+"""
+from kdcproxy import application
+
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#673][opened] Conf template
URL: https://github.com/freeipa/freeipa/pull/673
Author: tjaalton
Title: #673: Conf template
Action: opened
PR body:
"""
Move conf templates to a common location, make ipa.conf and named.conf portable.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/673/head:pr673
git checkout pr673
From 134fec33ecbbb462a18fb9dd135b3b3cf23d80fd Mon Sep 17 00:00:00 2001
From: Timo Aaltonen
Date: Wed, 15 Mar 2017 19:28:07 +0200
Subject: [PATCH 1/3] Move config templates from install/conf to install/share
---
configure.ac | 1 -
freeipa.spec.in | 3 -
install/Makefile.am | 1 -
install/conf/Makefile.am | 13 --
install/conf/ipa-kdc-proxy.conf.template | 30
install/conf/ipa-pki-proxy.conf | 46 --
install/conf/ipa-rewrite.conf | 22 ---
install/conf/ipa.conf | 227 --
install/share/Makefile.am | 4 +
install/share/ipa-kdc-proxy.conf.template | 30
install/share/ipa-pki-proxy.conf.template | 46 ++
install/share/ipa-rewrite.conf.template | 22 +++
install/share/ipa.conf.template | 227 ++
ipaserver/install/dogtaginstance.py | 2 +-
ipaserver/install/httpinstance.py | 4 +-
ipaserver/install/server/upgrade.py | 6 +-
16 files changed, 335 insertions(+), 349 deletions(-)
delete mode 100644 install/conf/Makefile.am
delete mode 100644 install/conf/ipa-kdc-proxy.conf.template
delete mode 100644 install/conf/ipa-pki-proxy.conf
delete mode 100644 install/conf/ipa-rewrite.conf
delete mode 100644 install/conf/ipa.conf
create mode 100644 install/share/ipa-kdc-proxy.conf.template
create mode 100644 install/share/ipa-pki-proxy.conf.template
create mode 100644 install/share/ipa-rewrite.conf.template
create mode 100644 install/share/ipa.conf.template
diff --git a/configure.ac b/configure.ac
index f5c5270..2125d05 100644
--- a/configure.ac
+++ b/configure.ac
@@ -538,7 +538,6 @@ AC_CONFIG_FILES([
init/Makefile
install/Makefile
install/certmonger/Makefile
-install/conf/Makefile
install/html/Makefile
install/migration/Makefile
install/share/Makefile
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 829c3f0..5235e13 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1312,9 +1312,6 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec
-%{_usr}/share/ipa/ipa.conf
-%{_usr}/share/ipa/ipa-rewrite.conf
-%{_usr}/share/ipa/ipa-pki-proxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
diff --git a/install/Makefile.am b/install/Makefile.am
index f895bcc..f0ec9c7 100644
--- a/install/Makefile.am
+++ b/install/Makefile.am
@@ -6,7 +6,6 @@ NULL =
SUBDIRS = \
certmonger \
-conf \
html \
migration \
share \
diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am
deleted file mode 100644
index 751bb16..000
--- a/install/conf/Makefile.am
+++ /dev/null
@@ -1,13 +0,0 @@
-NULL =
-
-appdir = $(IPA_DATA_DIR)
-app_DATA = \
- ipa.conf \
- ipa-kdc-proxy.conf.template \
- ipa-pki-proxy.conf \
- ipa-rewrite.conf \
- $(NULL)
-
-EXTRA_DIST =\
-$(app_DATA) \
-$(NULL)
diff --git a/install/conf/ipa-kdc-proxy.conf.template b/install/conf/ipa-kdc-proxy.conf.template
deleted file mode 100644
index 9290ceb..000
--- a/install/conf/ipa-kdc-proxy.conf.template
+++ /dev/null
@@ -1,30 +0,0 @@
-# Kerberos over HTTP / MS-KKDCP support (Kerberos KDC Proxy)
-#
-# The symlink from /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ is maintained
-# by the ExecStartPre script /usr/libexec/ipa/ipa-httpd-kdcproxy in
-# httpd.service. The service also sets the environment variable
-# KDCPROXY_CONFIG to $KDCPROXY_CONFIG.
-#
-# Disable KDC Proxy on the current host:
-# # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif
-# # systemctl restart httpd.service
-#
-# Enable KDC Proxy on the current host:
-# # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif
-# # systemctl restart httpd.service
-#
-
-WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=5000 \
- user=kdcproxy group=kdcproxy display-name=%{GROUP}
-WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \
- process-group=kdcproxy application-group=kdcproxy
-WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py
-WSGIScriptReloading Off
-
-
[Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change
URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change redhatrises commented: """ @HonzaCholasta updated "Admins can write passwords" ACI to contain 'krbPasswordExpiration' as the "Admin can manage any entry" ACI already had 'krbPasswordExpiration' added. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290122377 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#621][synchronized] Add --password-expiration to allow an admin to force a password change
URL: https://github.com/freeipa/freeipa/pull/621
Author: redhatrises
Title: #621: Add --password-expiration to allow an admin to force a password
change
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/621/head:pr621
git checkout pr621
From 92126da02f7dea0bbe0b596d86ab538bc590fac1 Mon Sep 17 00:00:00 2001
From: Gabe
Date: Wed, 29 Mar 2017 09:12:26 -0600
Subject: [PATCH] Add --password-expiration to allow admin to force user
password expiration
- Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future
---
ACI.txt | 2 +-
API.txt | 18 --
VERSION.m4| 2 +-
install/updates/20-aci.update | 2 +-
ipalib/parameters.py | 16 ++--
ipaserver/plugins/baseuser.py | 4
ipaserver/plugins/user.py | 2 +-
7 files changed, 30 insertions(+), 16 deletions(-)
diff --git a/ACI.txt b/ACI.txt
index 9c7996c..185812a 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -351,7 +351,7 @@ aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "ipacertmapdata || objectclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User Certificate Mappings";allow (write) groupdn = "ldap:///cn=System: Manage User Certificate Mappings,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
diff --git a/API.txt b/API.txt
index 7594157..7850538 100644
--- a/API.txt
+++ b/API.txt
@@ -4828,7 +4828,7 @@ output: Entry('result')
output: Output('summary', type=[, ])
output: PrimaryKey('value')
command: stageuser_add/1
-args: 1,44,3
+args: 1,45,3
arg: Str('uid', cli_name='login')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -4849,6 +4849,7 @@ option: Str('ipasshpubkey*', cli_name='sshpubkey')
option: Str('ipatokenradiusconfiglink?', cli_name='radius')
option: Str('ipatokenradiususername?', cli_name='radius_username')
option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
+option: DateTime('krbpasswordexpiration?', cli_name='password_expiration')
option: DateTime('krbprincipalexpiration?', cli_name='principal_expiration')
option: Principal('krbprincipalname*', autofill=True, cli_name='principal')
option: Str('l?', cli_name='city')
@@ -4933,7 +4934,7 @@ output: Output('result', type=[])
output: Output('summary', type=[, ])
output: ListOfPrimaryKeys('value')
command: stageuser_find/1
-args: 1,53,4
+args: 1,54,4
arg: Str('criteria?')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('carlicense*', autofill=False)
@@ -4956,6 +4957,7 @@ option: Str('initials?', autofill=False)
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
+option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration')
option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration')
option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
option: Str('l?', autofill=False, cli_name='city')
@@ -4993,7 +4995,7 @@ output: ListOfEntries('result')
output: Output('summary', type=[, ])
output: Output('truncated', type=[])
command: stageuser_mod/1
-args: 1,46,3
+args: 1,47,3
arg: Str('uid', cli_name='login')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -5
[Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change
URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change HonzaCholasta commented: """ The `admin` user is not allowed to write to the attribute: ``` $ kinit admin Password for ad...@abc.idm.lab.eng.brq.redhat.com: $ ipa user-mod jcholast --password-expiration=now ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPasswordExpiration' attribute of entry 'uid=jcholast,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'. ``` Please update the "Admin can manage any entry" ACI in `install/updates/20-aci.update`. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290114123 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#672][opened] IPA-KDB: use relative path in ipa-certmap config snippet
URL: https://github.com/freeipa/freeipa/pull/672
Author: sumit-bose
Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet
Action: opened
PR body:
"""
Architecture specific paths should be avoided in the global Kerberos
configuration because it is read e.g. by 32bit and 64bit libraries they
are installed in parallel.
Resolves https://pagure.io/freeipa/issue/6833
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/672/head:pr672
git checkout pr672
From 54460a33d3d95dbcaec56bf45999a39c10da60ed Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Wed, 29 Mar 2017 15:46:50 +0200
Subject: [PATCH] IPA-KDB: use relative path in ipa-certmap config snippet
Architecture specific paths should be avoided in the global Kerberos
configuration because it is read e.g. by 32bit and 64bit libraries they
are installed in parallel.
Resolves https://pagure.io/freeipa/issue/6833
---
daemons/ipa-kdb/Makefile.am | 12
daemons/ipa-kdb/ipa-certauth| 5 +
daemons/ipa-kdb/ipa-certauth.in | 5 -
3 files changed, 9 insertions(+), 13 deletions(-)
create mode 100644 daemons/ipa-kdb/ipa-certauth
delete mode 100644 daemons/ipa-kdb/ipa-certauth.in
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 715666e..259bc3b 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -40,18 +40,16 @@ ipadb_la_SOURCES = \
ipa_kdb_audit_as.c \
$(NULL)
+dist_noinst_DATA = ipa_kdb.exports
+
if BUILD_IPA_CERTAUTH_PLUGIN
ipadb_la_SOURCES += ipa_kdb_certauth.c
-%: %.in
- sed \
- -e 's|@plugindir@|$(plugindir)|g' \
- '$(srcdir)/$@.in' >$@
-
krb5confdir = $(sysconfdir)/krb5.conf.d
krb5conf_DATA = ipa-certauth
-CLEANFILES = $(krb5conf_DATA)
+else
+dist_noinst_DATA += ipa-certauth
endif
ipadb_la_LDFLAGS = \
@@ -105,8 +103,6 @@ ipa_kdb_tests_LDADD = \
-lsss_idmap \
$(NULL)
-dist_noinst_DATA = ipa_kdb.exports ipa-certauth.in
-
clean-local:
rm -f tests/.dirstamp
diff --git a/daemons/ipa-kdb/ipa-certauth b/daemons/ipa-kdb/ipa-certauth
new file mode 100644
index 000..6fde082
--- /dev/null
+++ b/daemons/ipa-kdb/ipa-certauth
@@ -0,0 +1,5 @@
+[plugins]
+ certauth = {
+ module = ipakdb:kdb/ipadb.so
+ enable_only = ipakdb
+ }
diff --git a/daemons/ipa-kdb/ipa-certauth.in b/daemons/ipa-kdb/ipa-certauth.in
deleted file mode 100644
index eda89a2..000
--- a/daemons/ipa-kdb/ipa-certauth.in
+++ /dev/null
@@ -1,5 +0,0 @@
-[plugins]
- certauth = {
- module = ipakdb:@plugindir@/ipadb.so
- enable_only = ipakdb
- }
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#629][synchronized] adtrust: make sure that runtime hostname result is consistent with the configuration
URL: https://github.com/freeipa/freeipa/pull/629
Author: abbra
Title: #629: adtrust: make sure that runtime hostname result is consistent
with the configuration
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/629/head:pr629
git checkout pr629
From 195b5b98defa5ac3ad90d75bc411a315fccfdd52 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Mon, 20 Mar 2017 13:23:44 +0200
Subject: [PATCH] adtrust: make sure that runtime hostname result is consistent
with the configuration
FreeIPA's `ipasam` module to Samba uses gethostname() call to identify
own server's host name. This value is then used in multiple places,
including construction of cifs/host.name principal. `ipasam` module
always uses GSSAPI authentication when talking to LDAP, so Kerberos
keys must be available in the /etc/samba/samba.keytab. However, if
the principal was created using non-FQDN name but system reports
FQDN name, `ipasam` will fail to acquire Kerberos credentials.
Same with FQDN principal and non-FQDN hostname.
Also host name and principal name must have the same case.
Report an error when configuring ADTrust instance with inconsistent
runtime hostname and configuration. This prevents errors like this:
[20/21]: starting CIFS services
ipa : CRITICAL CIFS services failed to start
where samba logs have this:
[2017/03/20 06:34:27.385307, 0] ipa_sam.c:4193(bind_callback_cleanup)
kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatr...@example.com
[2017/03/20 06:34:27.385476, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
Connection to LDAP server failed for the 16 try!
Fixes https://pagure.io/freeipa/issue/6786
---
ipaserver/install/adtrustinstance.py | 12
1 file changed, 12 insertions(+)
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 0b18985..b4db055 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -27,6 +27,7 @@
import string
import struct
import re
+import socket
import six
@@ -689,6 +690,15 @@ def __enable_compat_tree(self):
except Exception as e:
root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e)
+def __validate_server_hostname(self):
+hostname = socket.gethostname()
+if hostname != self.fqdn:
+raise ValueError("Host reports different name than configured: "
+ "'%s' versus '%s'. Samba requires to have "
+ "the same hostname or Kerberos principal "
+ "'cifs/%s' will not be found in Samba keytab." %
+ (hostname, self.fqdn, self.fqdn))
+
def __start(self):
try:
self.start()
@@ -804,6 +814,8 @@ def find_local_id_range(self):
api.Backend.ldap2.add_entry(entry)
def create_instance(self):
+self.step("validate server hostname",
+ self.__validate_server_hostname)
self.step("stopping smbd", self.__stop)
self.step("creating samba domain object", \
self.__create_samba_domain_object)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change
URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change redhatrises commented: """ > @redhatrises, datetime.utcnow() is what I meant. Oh good. Ready for your review. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290089437 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#666][+ack] Fix anonymous principal handling in replica install
URL: https://github.com/freeipa/freeipa/pull/666 Title: #666: Fix anonymous principal handling in replica install Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#666][comment] Fix anonymous principal handling in replica install
URL: https://github.com/freeipa/freeipa/pull/666 Title: #666: Fix anonymous principal handling in replica install stlaz commented: """ I actually did the review of https://github.com/freeipa/freeipa/pull/631 alongside this. I do not think the order of adding the anonymous principal and setting up PKINIT matters that much. From what I saw in Kerberos guides, it's usually actually done after PKINIT setup since until then, the anonymous principal is pretty much unusable. The problem was rather the testing of anonymous pkinit before the anonymous principal was added, that is just plainly weird and I'm glad that that's now fixed. ACK since this fixes the issues mentioned in comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/666#issuecomment-290088490 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#631][+ack] Upgrade: configure PKINIT after adding anonymous principal
URL: https://github.com/freeipa/freeipa/pull/631 Title: #631: Upgrade: configure PKINIT after adding anonymous principal Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Issue connecting through Clients
Hello all, I have an IPA setup with AD and DNS resides on AD and am having issues authenticating with my clients. Getting the Following error on my Clients: (Wed Mar 29 09:22:33 2017) [sssd[be[ipa.brad.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/bradltest3.brad.local (Wed Mar 29 09:22:33 2017) [sssd[be[ipa.brad.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Wed Mar 29 09:22:33 2017) [sssd[be[ipa.brad.local]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/brad.lo...@ipa.brad.LOCAL not found in Kerberos database)] I don't think it is DNS because i can resolve both the IPA server and the client [root@bradltest3 ~]# host homeipa01.brad.local homeipa01.brad.local has address 11.10.10.17 [root@bradltest3 ~]# host 11.10.10.17 17.10.10.11.in-addr.arpa domain name pointer ipa-ca.ipa.brad.local. 17.10.10.11.in-addr.arpa domain name pointer homeipa01.brad.local. 17.10.10.11.in-addr.arpa domain name pointer homeipa01.ipa.brad.local. [root@bradltest3 ~]# host bradltest3.brad.local bradltest3.brad.local has address 11.10.10.24 [root@bradltest3 ~]# host 11.10.10.24 24.10.10.11.in-addr.arpa domain name pointer bradltest3.brad.local. I am at a loss on where to look next and any help or direction would be much appreciated. Thank you all in advance, Bradley Bishop -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change
URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change HonzaCholasta commented: """ @redhatrises, `datetime.utcnow()` is what I meant. """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290087879 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#621][comment] Add --password-expiration to allow an admin to force a password change
URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change redhatrises commented: """ @HonzaCholasta used `datetime.utcnow()` as I couldn't find a reference for `datetime.utctime()` """ See the full comment at https://github.com/freeipa/freeipa/pull/621#issuecomment-290086917 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#629][comment] adtrust: make sure that runtime hostname result is consistent with the configuration
URL: https://github.com/freeipa/freeipa/pull/629 Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration abbra commented: """ Removed backslashes and also moved the check to be the first step when creating an instance. """ See the full comment at https://github.com/freeipa/freeipa/pull/629#issuecomment-290086797 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#629][synchronized] adtrust: make sure that runtime hostname result is consistent with the configuration
URL: https://github.com/freeipa/freeipa/pull/629
Author: abbra
Title: #629: adtrust: make sure that runtime hostname result is consistent
with the configuration
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/629/head:pr629
git checkout pr629
From f79ec2d56bc8a16765633156a11d4cd9210795d9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Mon, 20 Mar 2017 13:23:44 +0200
Subject: [PATCH] adtrust: make sure that runtime hostname result is consistent
with the configuration
FreeIPA's `ipasam` module to Samba uses gethostname() call to identify
own server's host name. This value is then used in multiple places,
including construction of cifs/host.name principal. `ipasam` module
always uses GSSAPI authentication when talking to LDAP, so Kerberos
keys must be available in the /etc/samba/samba.keytab. However, if
the principal was created using non-FQDN name but system reports
FQDN name, `ipasam` will fail to acquire Kerberos credentials.
Same with FQDN principal and non-FQDN hostname.
Also host name and principal name must have the same case.
Report an error when configuring ADTrust instance with inconsistent
runtime hostname and configuration. This prevents errors like this:
[20/21]: starting CIFS services
ipa : CRITICAL CIFS services failed to start
where samba logs have this:
[2017/03/20 06:34:27.385307, 0] ipa_sam.c:4193(bind_callback_cleanup)
kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatr...@example.com
[2017/03/20 06:34:27.385476, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
Connection to LDAP server failed for the 16 try!
Fixes https://pagure.io/freeipa/issue/6786
---
ipaserver/install/adtrustinstance.py | 11 +++
1 file changed, 11 insertions(+)
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 0b18985..3527ca9 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -689,6 +689,15 @@ def __enable_compat_tree(self):
except Exception as e:
root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e)
+def __validate_server_hostname(self):
+hostname = socket.gethostname()
+if hostname != self.fqdn:
+raise ValueError("Host reports different name than configured: "
+ "'%s' versus '%s'. Samba requires to have "
+ "the same hostname or Kerberos principal "
+ "'cifs/%s' will not be found in Samba keytab." %
+ (hostname, self.fqdn, self.fqdn))
+
def __start(self):
try:
self.start()
@@ -804,6 +813,8 @@ def find_local_id_range(self):
api.Backend.ldap2.add_entry(entry)
def create_instance(self):
+self.step("validate server hostname",
+ self.__validate_server_hostname)
self.step("stopping smbd", self.__stop)
self.step("creating samba domain object", \
self.__create_samba_domain_object)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#621][edited] Add --password-expiration to allow an admin to force a password change
URL: https://github.com/freeipa/freeipa/pull/621 Author: redhatrises Title: #621: Add --password-expiration to allow an admin to force a password change Action: edited Changed field: title Original value: """ Add --force-password-reset to user_mod in user.py """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#621][synchronized] Add --force-password-reset to user_mod in user.py
URL: https://github.com/freeipa/freeipa/pull/621
Author: redhatrises
Title: #621: Add --force-password-reset to user_mod in user.py
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/621/head:pr621
git checkout pr621
From c773399e5f1bad48af3697eefc3c4a76598065cc Mon Sep 17 00:00:00 2001
From: Gabe
Date: Wed, 29 Mar 2017 07:10:13 -0600
Subject: [PATCH] Add --password-expiration to allow admin to force user
password expiration
- Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future
---
ACI.txt | 2 +-
API.txt | 18 --
VERSION.m4| 2 +-
ipalib/parameters.py | 16 ++--
ipaserver/plugins/baseuser.py | 4
ipaserver/plugins/user.py | 2 +-
6 files changed, 29 insertions(+), 15 deletions(-)
diff --git a/ACI.txt b/ACI.txt
index 9c7996c..185812a 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -351,7 +351,7 @@ aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "ipacertmapdata || objectclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User Certificate Mappings";allow (write) groupdn = "ldap:///cn=System: Manage User Certificate Mappings,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
diff --git a/API.txt b/API.txt
index 7594157..7850538 100644
--- a/API.txt
+++ b/API.txt
@@ -4828,7 +4828,7 @@ output: Entry('result')
output: Output('summary', type=[, ])
output: PrimaryKey('value')
command: stageuser_add/1
-args: 1,44,3
+args: 1,45,3
arg: Str('uid', cli_name='login')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -4849,6 +4849,7 @@ option: Str('ipasshpubkey*', cli_name='sshpubkey')
option: Str('ipatokenradiusconfiglink?', cli_name='radius')
option: Str('ipatokenradiususername?', cli_name='radius_username')
option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
+option: DateTime('krbpasswordexpiration?', cli_name='password_expiration')
option: DateTime('krbprincipalexpiration?', cli_name='principal_expiration')
option: Principal('krbprincipalname*', autofill=True, cli_name='principal')
option: Str('l?', cli_name='city')
@@ -4933,7 +4934,7 @@ output: Output('result', type=[])
output: Output('summary', type=[, ])
output: ListOfPrimaryKeys('value')
command: stageuser_find/1
-args: 1,53,4
+args: 1,54,4
arg: Str('criteria?')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('carlicense*', autofill=False)
@@ -4956,6 +4957,7 @@ option: Str('initials?', autofill=False)
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
+option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration')
option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration')
option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
option: Str('l?', autofill=False, cli_name='city')
@@ -4993,7 +4995,7 @@ output: ListOfEntries('result')
output: Output('summary', type=[, ])
output: Output('truncated', type=[])
command: stageuser_mod/1
-args: 1,46,3
+args: 1,47,3
arg: Str('uid', cli_name='login')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -5014,6 +5016,7 @@ option: Str('ipasshpubkey*', autofill=False,
[Freeipa-devel] [freeipa PR#625][comment] [RFC] remote plugins: add option to force compat plugins
URL: https://github.com/freeipa/freeipa/pull/625 Title: #625: [RFC] remote plugins: add option to force compat plugins HonzaCholasta commented: """ * With `force_client_compat=False`, the benefit is the client API matches the remote server API, the drawback is `api.finalize()` does RPC calls and touches schema cache (i.e. the current behavior). * With `force_client_compat=True`, the benefit is `api.finalize()` does no RPC calls nor does it touch schema cache, the drawback is that the client API is stuck at API version 2.164 (IPA 4.3.3). * Schema download exists to support newer servers versions without having to update the client. Compat plugins exist to support older server versions which do not have schema support. (See http://www.freeipa.org/page/V4/API_Compatiblity.) * *Optimistic try/fallback* is the current behavior which requires RPC calls in `api.finalize()` to detect the server's capabilities in order to reconstruct it's API locally. With this PR it's possible to skip this step and fall back to the behavior of IPA 4.3.3. """ See the full comment at https://github.com/freeipa/freeipa/pull/625#issuecomment-290066211 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#12][synchronized] README.md: fix markdown formatting
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/12 Author: tomaskrizek Title: #12: README.md: fix markdown formatting Action: synchronized To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/12/head:pr12 git checkout pr12 From fc58afe13474e1eb8b572f89a63bd51dfacdbce1 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Thu, 23 Mar 2017 15:35:21 +0100 Subject: [PATCH] README.md: fix markdown formatting Fix some markdown formatting errors to properly render it on pagure and GitHub. --- README.md | 82 ++- 1 file changed, 39 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index de9cd1f..49f5b95 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,10 @@ -1. Introduction -=== +# 1. Introduction The dynamic LDAP back-end is a plug-in for BIND that provides an LDAP database back-end capabilities. It requires dyndb interface which is present in BIND versions >= 9.11.0rc1. -2. Features -=== +# 2. Features * support for dynamic updates * SASL authentication @@ -16,8 +14,7 @@ in BIND versions >= 9.11.0rc1. * DNSSEC in-line signing is supported, including dynamic updates -3. Installation -=== +# 3. Installation To install the LDAP back-end, extract the tarball and go to the unpacked directory. Then follow these steps: @@ -47,14 +44,13 @@ You can use following commands to prepare latest source tree for compilation: $ cd bind-dyndb-ldap $ autoreconf -fvi -4. LDAP schema -== +# 4. LDAP schema You can find the complete LDAP schema in the documentation directory. An example zone ldif is available in the doc directory. -4.1 Master zone (idnsZone) --- +## 4.1 Master zone (idnsZone) + Object class `idnsZone` is equivalent to type `master` statement in `named.conf`. ### Attributes @@ -193,8 +189,8 @@ Object class `idnsZone` is equivalent to type `master` statement in `named.conf` Zone without NSEC3PARAM RR will use NSEC by default. -4.2 Forward zone (idnsForwardZone) --- +## 4.2 Forward zone (idnsForwardZone) + Object class `idnsForwardZone` is equivalent to type `forward` statement in named.conf. @@ -243,8 +239,8 @@ Unloaded empty zones will not be loaded back even if the forward zone is later deleted. The empty zones will be loaded on each BIND reload. -4.3 Global configuration object (idnsConfigObject) --- +## 4.3 Global configuration object (idnsConfigObject) + Object class idnsConfigObject provides global configuration common for all zones. @@ -261,8 +257,8 @@ for all zones. Syntax is the same as in forward zone, please see previous section. -4.4 Per-server configuration object (idnsServerConfigObject) - +## 4.4 Per-server configuration object (idnsServerConfigObject) + Object class idnsConfigObject provides global configuration common for all zones. A plugin instance will read configuration only from entries with matching idnsServerId. @@ -296,8 +292,8 @@ only from entries with matching idnsServerId. LIMITATION: Current plugin version supports only `ipalocation` variable -4.5 Record template (idnsTemplateObject) - +## 4.5 Record template (idnsTemplateObject) + Object class idnsTemplateObject provides facility for dynamic resource record generation. The template entry must contain idnsTemplateAttribute with string template. @@ -333,8 +329,7 @@ by the template string are defined. https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/RecordGenerator -5. Configuration - +# 5. Configuration To configure dynamic loading of back-end, you must put a `dyndb` clause into your named.conf. The clause must then be followed by a @@ -354,12 +349,12 @@ curly brackets. Example: auth_method "none"; }; -5.1 Configuration options -- +## 5.1 Configuration options + List of configuration options follows: -5.1.1 LDAP connection -- +### 5.1.1 LDAP connection + * uri The Uniform Resource Identifier pointing to the LDAP server we @@ -451,8 +446,8 @@ List of configuration options follows: `/bin/hostname` output. -5.1.2 Special DNS features --- +### 5.1.2 Special DNS features + * fake_mname Ignore value of the idnsSOAmName (primary master DNS name) attribute @@ -476,8 +471,8 @@ List of configuration options follows: by idnsAllowDynUpdate attribute. -5.1.3 Plumbing --- +### 5.1.3 Plumbing + * verbose_checks (default no) Set this option to `yes` if you would like to log all failures @@ -495,8 +490,8 @@ List of configuration options follows: The path is relative to `directory` specified in BIND options. See section 6 (DNSS
[Freeipa-devel] [freeipa PR#625][comment] [RFC] remote plugins: add option to force compat plugins
URL: https://github.com/freeipa/freeipa/pull/625 Title: #625: [RFC] remote plugins: add option to force compat plugins tiran commented: """ I don't understand the implications of this change and the new flag: * What are the benefits and drawbacks of ```force_client_compat=False```? * What are the benefits and drawbacks of ```force_client_compat=True```? * Why does FreeIPA have schema download and compat plugins at all? * Why is this feature implemented as *either/or* option instead of *optimistic try/fallback*? New feature is missing unit and integration tests. """ See the full comment at https://github.com/freeipa/freeipa/pull/625#issuecomment-290051095 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 martbab commented: """ @MartinBasti WebUI not working in DL0/--no-pkinit is beyond the scope of this PR. I am working on fixing that in a separate PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-290052050 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#12][opened] README.md: fix markdown formatting
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/12
Author: tomaskrizek
Title: #12: README.md: fix markdown formatting
Action: opened
PR body:
"""
Fix some markdown formatting errors to properly render it on pagure.
"""
To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/12/head:pr12
git checkout pr12
https://assets-cdn.github.com/assets/frameworks-5b61aadc846f0818981ceec31b49c475fb084c163fdec5efbc2c21ef539092a9.css"; media="all" rel="stylesheet" />
https://assets-cdn.github.com/assets/github-d19d0be9d15c75a401accbce6f46a15486c8257a298d27ebe08aa255ed1e5175.css"; media="all" rel="stylesheet" />
https://assets-cdn.github.com/assets/site-c5a10f2dd52fbbd6c1316d032ac0ad965777a07143019844efd90707eb09d4c0.css"; media="all" rel="stylesheet" />
README.md: fix markdown formatting by tomaskrizek · Pull Request #12 · freeipa/bind-dyndb-ldap · GitHub
https://github.com/fluidicon.png"; title="GitHub">
https://avatars2.githubusercontent.com/u/10220243?v=3&s=400"; property="og:image" />https://github.com/freeipa/bind-dyndb-ldap/pull/12"; property="og:url" />
https://assets-cdn.github.com/";>
https://collector.githubapp.com/github-external/browser_event"; name="octolytics-event-url" />
span.labelstyle-b60205, .linked-labelstyle-b60205 { background-color: #b60205 !important; color: #fff !important;}.labelstyle-b60205.selected { background-color: #b60205 !important; color: #fff !important;}.label-select-menu .labelstyle-b60205.selected { background:rgba(182, 2, 5, 0.12) !important; color: #990104 !important;}
span.labelstyle-0e8a16, .linked-labelstyle-0e8a16 { background-color: #0e8a16 !important; color: #fff !important;}.labelstyle-0e8a16.selected { background-color: #0e8a16 !important; color: #fff !important;}.label-select-menu .labelstyle-0e8a16.selected { background:rgba(14, 138, 22, 0.12) !important; color: #0f9918 !important;}
span.labelstyle-1d76db, .linked-labelstyle-1d76db { background-color: #1d76db !important; color: #fff !important;}.labelstyle-1d76db.selected { background-color: #1d76db !important; color: #fff !important;}.label-select-menu .labelstyle-1d76db.selected { background:rgba(29, 118, 219, 0.12) !important; color: #145299 !important;}
https://github.com/freeipa/bind-dyndb-ldap.git";>
https://github.com/freeipa/bind-dyndb-ldap/commits/fix-markdown-in-readme.atom"; rel="alternate" title="Recent Commits to bind-dyndb-ldap:fix-markdown-in-readme" type="application/atom+xml">
https://api.github.com/_private/browser/stats";>
https://api.github.com/_private/browser/errors";>
https://assets-cdn.github.com/pinned-octocat.svg"; color="#00">
https://assets-cdn.github.com/favicon.ico";>
Skip to content
https://github.com/"; aria-label="Homepage" data-ga-click="(Logged out) Header, go to homepage, icon:logo-wordmark">
Features
Business
Explore
Pricing
This repository
Sign in
or
Sign up
http://schema.org/SoftwareSourceCode";>
Watch
6
Star
0
Fork
5
freeipa/bind-dyndb-ldap
http://schema.org/BreadcrumbList";
role="navigation"
data-pjax="#js-repo-pjax-container">
http://schema.org/ListItem"; itemprop="itemListElement">
Code
http://schema.org/ListItem"; itemprop="itemListElement">
Pull requests
2
Projects
0
Wiki
Pulse
Graphs
README.md: fix markdown formatting
#12
Open
tomaskrizek
wants to merge 1 commit into
freeipa:master
base:
master
from
tomaskrizek:fix-markdown-in-readme
+10
−7
Conversation
0
Commits
1
Files changed
1
[Freeipa-devel] [freeipa PR#593][comment] Add make patchcheck for developers
URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make patchcheck for developers tiran commented: """ Depends on PRs #475, #587, #594 """ See the full comment at https://github.com/freeipa/freeipa/pull/593#issuecomment-286665946 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#671][opened] [WIP] Slim down dependencies
URL: https://github.com/freeipa/freeipa/pull/671
Author: tiran
Title: #671: [WIP] Slim down dependencies
Action: opened
PR body:
"""
* Remove unused install requires
* Correct dependencies for yubico otptoken
* Properly report optional dependency for yubico otptoken
* Make jinja2 an optional dependency and csrgen an optional plugin
Signed-off-by: Christian Heimes
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/671/head:pr671
git checkout pr671
From 230b7936c479d29416a580428db9f3448d65a125 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Wed, 29 Mar 2017 11:20:21 +0200
Subject: [PATCH] Slim down dependencies
* Remove unused install requires
* Correct dependencies for yubico otptoken
* Properly report optional dependency for yubico otptoken
* Make jinja2 an optional dependency and csrgen an optional plugin
Signed-off-by: Christian Heimes
---
ipaclient/plugins/csrgen.py | 8 +++-
ipaclient/plugins/otptoken_yubikey.py | 11 ---
ipaclient/setup.py| 6 ++
ipapython/setup.py| 2 --
4 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/ipaclient/plugins/csrgen.py b/ipaclient/plugins/csrgen.py
index a0d99ef..0a9ede1 100644
--- a/ipaclient/plugins/csrgen.py
+++ b/ipaclient/plugins/csrgen.py
@@ -4,7 +4,6 @@
import six
-from ipaclient.csrgen import CSRGenerator, FileRuleProvider
from ipalib import api
from ipalib import errors
from ipalib import output
@@ -15,6 +14,13 @@
from ipalib.text import _
from ipapython import dogtag
+try:
+import jinja2 # pylint: disable=unused-import
+except ImportError:
+raise errors.SkipPluginModule(reason=_("jinja2 is not installed."))
+else:
+from ipaclient.csrgen import CSRGenerator, FileRuleProvider
+
if six.PY3:
unicode = str
diff --git a/ipaclient/plugins/otptoken_yubikey.py b/ipaclient/plugins/otptoken_yubikey.py
index 759b722..9993ec8 100644
--- a/ipaclient/plugins/otptoken_yubikey.py
+++ b/ipaclient/plugins/otptoken_yubikey.py
@@ -20,15 +20,20 @@
import os
import six
-import usb.core
-import yubico
from ipalib import _, api, IntEnum
-from ipalib.errors import NotFound
+from ipalib.errors import NotFound, SkipPluginModule
from ipalib.frontend import Command, Method, Object
from ipalib.plugable import Registry
from ipalib.util import classproperty
+try:
+import usb.core
+import yubico
+except ImportError:
+# python-yubico depends on pyusb
+raise SkipPluginModule(reason=_("python-yubico is not installed."))
+
if six.PY3:
unicode = str
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index f5be7ea..5b02341 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -54,15 +54,13 @@
"cryptography",
"ipalib",
"ipapython",
-"jinja2",
-"python-yubico",
-"pyusb",
"qrcode",
"six",
],
extras_require={
"install": ["ipaplatform"],
-"otptoken_yubikey": ["yubico", "usb"]
+"otptoken_yubikey": ["python-yubico", "pyusb"],
+"csrgen": ["jinja2"],
},
zip_safe=False,
)
diff --git a/ipapython/setup.py b/ipapython/setup.py
index 2fc039f..491a5ed 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -41,13 +41,11 @@
"cryptography",
"dnspython",
"gssapi",
-"jwcrypto",
# "ipalib", # circular dependency
"pyldap",
"netaddr",
"netifaces",
"python-nss",
-"requests",
"six",
],
extras_require={
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#593][edited] Add make patchcheck for developers
URL: https://github.com/freeipa/freeipa/pull/593 Author: tiran Title: #593: Add make patchcheck for developers Action: edited Changed field: body Original value: """ Ticket 6604 makes pylint and jsl optional dependencies. The change is controversal, because some developers prefer that pylint and jsl should be required unless explicitly disabled. `make patchcheck` is my answer to address the concerns. It's a superior solution to `make lint` as pre-commit check. It combines several additional checks under a single, easy rememberable and convenient make target: * build all * acilint, apiclient, jslint, polint * make check * pylint under Python 2 and 3 * subset of unit test suite https://fedorahosted.org/freeipa/ticket/6604 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#593][comment] Add make patchcheck for developers
URL: https://github.com/freeipa/freeipa/pull/593 Title: #593: Add make patchcheck for developers tiran commented: """ All dependencies have been merged. PR is ready for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/593#issuecomment-287372325 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#11][comment] Coverity: fix REVERSE_INULL for pevent->inst
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/11 Title: #11: Coverity: fix REVERSE_INULL for pevent->inst tomaskrizek commented: """ @pemensik Hi, could you take a quick look at this change? I ran coverity and the issues were fixed. It might also be possible to remove the REQUIRE, but since I'm not sure whether `inst` is always non null in the new dyndb workflow, I added the check just to be sure. """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/11#issuecomment-290026409 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#11][opened] Coverity: fix REVERSE_INULL for pevent->inst
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/11
Author: tomaskrizek
Title: #11: Coverity: fix REVERSE_INULL for pevent->inst
Action: opened
PR body:
"""
With the DynDB API changes, the ldap instance is acquired
differently. Previously, obtaining the instance could fail when
LDAP was disconnecting, thus the NULL check was necessary in the
cleanup part.
Now, inst is obtained directly from the API. I'm not sure what is
the exact behaviour in edge cases such as LDAP disconnecting, so
I perform the NULL check a bit earlier, just to be safe.
"""
To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/11/head:pr11
git checkout pr11
From e5c29893a318c0f1571c9918ab2c7c23dca3c952 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 27 Mar 2017 19:41:05 +0200
Subject: [PATCH] Coverity: fix REVERSE_INULL for pevent->inst
With the DynDB API changes, the ldap instance is acquired
differently. Previously, obtaining the instance could fail when
LDAP was disconnecting, thus the NULL check was necessary in the
cleanup part.
Now, inst is obtained directly from the API. I'm not sure what is
the exact behaviour in edge cases such as LDAP disconnecting, so
I perform the NULL check a bit earlier, just to be safe.
---
src/ldap_helper.c | 42 +-
1 file changed, 21 insertions(+), 21 deletions(-)
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 1fa0ec9..e0c4b76 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -3714,6 +3714,7 @@ update_zone(isc_task_t *task, isc_event_t *event)
mctx = pevent->mctx;
dns_name_init(&prevname, NULL);
+ REQUIRE(inst != NULL);
INSIST(task == inst->task); /* For task-exclusive mode */
if (SYNCREPL_DEL(pevent->chgtype)) {
@@ -3730,12 +3731,11 @@ update_zone(isc_task_t *task, isc_event_t *event)
}
cleanup:
- if (inst != NULL) {
- sync_concurr_limit_signal(inst->sctx);
- sync_event_signal(inst->sctx, pevent);
- if (dns_name_dynamic(&prevname))
- dns_name_free(&prevname, inst->mctx);
- }
+ sync_concurr_limit_signal(inst->sctx);
+ sync_event_signal(inst->sctx, pevent);
+ if (dns_name_dynamic(&prevname))
+ dns_name_free(&prevname, inst->mctx);
+
if (result != ISC_R_SUCCESS)
log_error_r("update_zone (syncrepl) failed for %s. "
"Zones can be outdated, run `rndc reload`",
@@ -3760,14 +3760,14 @@ update_config(isc_task_t * task, isc_event_t *event)
mctx = pevent->mctx;
+ REQUIRE(inst != NULL);
INSIST(task == inst->task); /* For task-exclusive mode */
CHECK(ldap_parse_configentry(entry, inst));
cleanup:
- if (inst != NULL) {
- sync_concurr_limit_signal(inst->sctx);
- sync_event_signal(inst->sctx, pevent);
- }
+ sync_concurr_limit_signal(inst->sctx);
+ sync_event_signal(inst->sctx, pevent);
+
if (result != ISC_R_SUCCESS)
log_error_r("update_config (syncrepl) failed for %s. "
"Configuration can be outdated, run `rndc reload`",
@@ -3790,14 +3790,14 @@ update_serverconfig(isc_task_t * task, isc_event_t *event)
mctx = pevent->mctx;
+ REQUIRE(inst != NULL);
INSIST(task == inst->task); /* For task-exclusive mode */
CHECK(ldap_parse_serverconfigentry(entry, inst));
cleanup:
- if (inst != NULL) {
- sync_concurr_limit_signal(inst->sctx);
- sync_event_signal(inst->sctx, pevent);
- }
+ sync_concurr_limit_signal(inst->sctx);
+ sync_event_signal(inst->sctx, pevent);
+
if (result != ISC_R_SUCCESS)
log_error_r("update_serverconfig (syncrepl) failed for %s. "
"Configuration can be outdated, run `rndc reload`",
@@ -3860,6 +3860,7 @@ update_record(isc_task_t *task, isc_event_t *event)
dns_name_init(&prevname, NULL);
dns_name_init(&prevorigin, NULL);
+ REQUIRE(inst != NULL);
CHECK(zr_get_zone_ptr(inst->zone_register, &entry->zone_name, &raw, &secure));
zone_found = ISC_TRUE;
@@ -4020,13 +4021,12 @@ update_record(isc_task_t *task, isc_event_t *event)
ldap_entry_logname(entry), pevent->chgtype);
}
- if (inst != NULL) {
- sync_concurr_limit_signal(inst->sctx);
- if (dns_name_dynamic(&prevname))
- dns_name_free(&prevname, inst->mctx);
- if (dns_name_dynamic(&prevorigin))
- dns_name_free(&prevorigin, inst->mctx);
- }
+ sync_concurr_limit_signal(inst->sctx);
+ if (dns_name_dynamic(&prevname))
+ dns_name_free(&prevname, inst->mctx);
+ if (dns_name_dynamic(&prevorigin))
+ dns_name_free(&prevorigin, inst->mctx);
+
if (raw != NULL)
dns_zone_detach(&raw);
if (secure != NULL)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#669][comment] server: make sure we test for sss_nss_getlistbycert
URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert tomaskrizek commented: """ master: * 67e5244cad72bef76de1c4df47a0c77a672fa861 server: make sure we test for sss_nss_getlistbycert ipa-4-5: * 8be6987da72dff0ebd4e02c946b45b5b1705d880 server: make sure we test for sss_nss_getlistbycert """ See the full comment at https://github.com/freeipa/freeipa/pull/669#issuecomment-290022005 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#669][+pushed] server: make sure we test for sss_nss_getlistbycert
URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#669][closed] server: make sure we test for sss_nss_getlistbycert
URL: https://github.com/freeipa/freeipa/pull/669 Author: abbra Title: #669: server: make sure we test for sss_nss_getlistbycert Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/669/head:pr669 git checkout pr669 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][closed] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Author: HonzaCholasta Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/668/head:pr668 git checkout pr668 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires tomaskrizek commented: """ master: * b18ee8b9dd3b1d0cfdc45373a7a56747e1f993a3 spec file: bump libsss_nss_idmap-devel BuildRequires ipa-4-5: * 127f7ce699677d8c689099eac350a54293a5009d spec file: bump libsss_nss_idmap-devel BuildRequires """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290021579 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][+pushed] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][synchronized] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Author: HonzaCholasta Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/668/head:pr668 git checkout pr668 From c662f152c6d073d0d0a04a361802bb924aa0dc21 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 29 Mar 2017 07:14:24 + Subject: [PATCH] spec file: bump libsss_nss_idmap-devel BuildRequires Bump BuildRequires on libsss_nss_idmap-devel to the version which introduces the sss_nss_getlistbycert function. This fixes RPM build failure when an older version of libsss_nss_idmap-devel was installed. https://pagure.io/freeipa/issue/6828 --- freeipa.spec.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index e7e39e8..829c3f0 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -121,8 +121,8 @@ BuildRequires: libtevent-devel BuildRequires: libuuid-devel BuildRequires: libsss_idmap-devel BuildRequires: libsss_certmap-devel -# 1.14.0: sss_nss_getnamebycert (https://fedorahosted.org/sssd/ticket/2897) -BuildRequires: libsss_nss_idmap-devel >= 1.14.0 +# 1.15.3: sss_nss_getlistbycert (https://pagure.io/SSSD/sssd/issue/3050) +BuildRequires: libsss_nss_idmap-devel >= 1.15.3 BuildRequires: rhino BuildRequires: libverto-devel BuildRequires: libunistring-devel -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires HonzaCholasta commented: """ Changed ticket link to https://pagure.io/freeipa/issue/6828. """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290020664 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#669][comment] server: make sure we test for sss_nss_getlistbycert
URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert tomaskrizek commented: """ Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/669#issuecomment-290019629 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#669][+ack] server: make sure we test for sss_nss_getlistbycert
URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][+ack] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#669][comment] server: make sure we test for sss_nss_getlistbycert
URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert abbra commented: """ On the systems where pkg-config is available, positive result from pkg-config check means headers are available because pkg-config files are part of development sub-packages. Symbol check in a library is enough then. """ See the full comment at https://github.com/freeipa/freeipa/pull/669#issuecomment-290016098 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires HonzaCholasta commented: """ Right. """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290015269 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#593][synchronized] Add make patchcheck for developers
URL: https://github.com/freeipa/freeipa/pull/593
Author: tiran
Title: #593: Add make patchcheck for developers
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/593/head:pr593
git checkout pr593
From 7c1f30c54efdee5ec687659c0ff7426fd1eabc8e Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Wed, 15 Mar 2017 08:31:38 +0100
Subject: [PATCH 1/2] Add make patchcheck for developers
Ticket 6604 makes pylint and jsl optional dependencies. The change
is controversal, because some developers prefer that pylint and jsl
should be required unless explicitly disabled.
`make patchcheck` is my answer to address the concerns. It's a superior
solution to `make lint` as pre-commit check. It combines several
additional checks under a single, easy rememberable and convenient make
target:
* build all
* acilint, apiclient, jslint, polint
* make check
* pylint under Python 2 and 3
* subset of unit test suite
https://fedorahosted.org/freeipa/ticket/6604
Signed-off-by: Christian Heimes
---
Makefile.am | 31 ++-
configure.ac | 12
ipatests/util.py | 28 ++--
3 files changed, 56 insertions(+), 15 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index af22315..2097030 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -152,6 +152,35 @@ JSLINT_TARGET = jslint
endif WITH_JSLINT
lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET)
+.PHONY: patchcheck
+patchcheck: all
+if ! WITH_POLINT
+ @echo "ERROR: polint not available"; exit 1
+endif
+if ! WITH_PYLINT
+ @echo "ERROR: pylint not available"; exit 1
+endif
+if ! WITH_JSLINT
+ @echo "ERROR: jslint not available"; exit 1
+endif
+if ! WITH_PYTHON2
+ @echo "ERROR: python2 not available"; exit 1
+endif
+ @ # run all linters, tests, and check with Python 2
+ PYTHONPATH=$(top_srcdir) $(PYTHON2) ipatests/ipa-run-tests \
+ --ipaclient-unittests
+ $(MAKE) $(AM_MAKEFLAGS) acilint apilint polint jslint check
+ $(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) pylint
+if WITH_PYTHON3
+ @ # just tests and pylint on Python 3
+ PYTHONPATH=$(top_srcdir) $(PYTHON3) ipatests/ipa-run-tests \
+ --ipaclient-unittests
+ $(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) pylint
+else
+ @echo "WARNING: python3 not available"
+endif
+ @echo "All tests passed."
+
.PHONY: $(top_builddir)/ipapython/version.py
$(top_builddir)/ipapython/version.py:
(cd $(top_builddir)/ipapython && make version.py)
@@ -188,7 +217,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
-name '*~' -o \
-name '*.py' -print -o \
-type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \
- echo "Pylint is running, please wait ..."; \
+ echo "Pylint on $(PYTHON) is running, please wait ..."; \
PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \
--rcfile=$(top_srcdir)/pylintrc \
--load-plugins pylint_plugins \
diff --git a/configure.ac b/configure.ac
index f5c5270..0174320 100644
--- a/configure.ac
+++ b/configure.ac
@@ -111,6 +111,18 @@ if test "x$PYTHON" = "x" ; then
fi
dnl ---
+dnl - Check for Python 2/3 for patchcheck
+dnl ---
+
+AC_PATH_PROG(PYTHON2, python2)
+AC_SUBST([PYTHON2])
+AM_CONDITIONAL([WITH_PYTHON2], [test "x${PYTHON2}" != "x"])
+
+AC_PATH_PROG(PYTHON3, python3)
+AC_SUBST([PYTHON3])
+AM_CONDITIONAL([WITH_PYTHON3], [test "x${PYTHON3}" != "x"])
+
+dnl ---
dnl - Check for cmocka unit test framework http://cmocka.cryptomilk.org/
dnl ---
PKG_CHECK_EXISTS(cmocka,
diff --git a/ipatests/util.py b/ipatests/util.py
index d877dcc..575d5cc 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -194,9 +194,9 @@ class Fuzzy(object):
Use of a regular expression by default implies the ``unicode`` type, so
comparing with an ``str`` instance will evaluate to ``False``:
->>> phone.type
-
->>> '123-456-7890' == phone
+>>> phone.type is six.text_type
+True
+>>> b'123-456-7890' == phone
False
The *type* kwarg allows you to specify a type constraint, so you can force
@@ -236,15 +236,15 @@ class Fuzzy(object):
>>> fuzzy = Fuzzy('.+', type=str, test=lambda other: True)
>>> fuzzy.regex
'.+'
->>> fuzzy.type
-
+>>> fuzzy.type is str
+True
>>> fuzzy.test # doctest:+ELLIPSIS
at 0x...>
To aid debugging, `Fuzzy.__repr__()` reveals these kwargs as well:
>>> fuzzy # doctest:+ELLIPSIS
-Fuzzy('.+', , at 0x...>)
+Fuzzy('.+', <... 'str'>, at 0x...>)
"""
def __init__(self, regex=None, type=None, test=None):
@@ -344,20 +344,20 @@ def assert_deepequal(expected, got, doc='', stack=tuple()):
If the tests fails, it will raise an ``Asserti
[Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 stlaz commented: """ Pushed a cleaner version of the previous changes, thanks @HonzaCholasta for the suggestion. """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-290012934 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires tomaskrizek commented: """ We still want to merge this PR to take care of the upstream BuildRequires though, right? """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290012044 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#658][+ack] Hide PKI Client database password in log file
URL: https://github.com/freeipa/freeipa/pull/658 Title: #658: Hide PKI Client database password in log file Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#658][comment] Hide PKI Client database password in log file
URL: https://github.com/freeipa/freeipa/pull/658 Title: #658: Hide PKI Client database password in log file stlaz commented: """ Works well, thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/658#issuecomment-290014081 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#640][synchronized] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640
Author: stlaz
Title: #640: Remove pkinit options from master/replica on DL0
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/640/head:pr640
git checkout pr640
From 53cdc14d5e006634817a1cddfee8954db3434785 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Wed, 22 Mar 2017 17:10:56 +0100
Subject: [PATCH 1/4] Fix the order of cert-files check
Without this patch, if either of dirsrv_cert_files, http_cert_files
or pkinit_cert_files is set along with no-pkinit, the user is first
requested to add the remaining options and when they do that,
they are told that they are using 'no-pkinit' along with
'pkinit-cert-file'.
https://pagure.io/freeipa/issue/6801
---
ipaserver/install/server/__init__.py | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 14f1ec4..117f51c 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -340,16 +340,16 @@ def __init__(self, **kwargs):
cert_file_opt = (self.pkinit_cert_files,)
if not self.no_pkinit:
cert_file_req += cert_file_opt
-if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
-raise RuntimeError(
-"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file "
-"or --no-pkinit are required if any key file options are used."
-)
if self.no_pkinit and self.pkinit_cert_files:
raise RuntimeError(
"--no-pkinit and --pkinit-cert-file cannot be specified "
"together"
)
+if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
+raise RuntimeError(
+"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file "
+"or --no-pkinit are required if any key file options are used."
+)
if not self.interactive:
if self.dirsrv_cert_files and self.dirsrv_pin is None:
From 6620562bc9ec874723ae32b54a53734666ec4271 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Wed, 22 Mar 2017 17:26:51 +0100
Subject: [PATCH 2/4] Don't allow setting pkinit-related options on DL0
pkinit is not supported on DL0, remove options that allow to set it
from ipa-{server,replica}-install.
https://pagure.io/freeipa/issue/6801
---
install/tools/man/ipa-replica-install.1 | 2 +-
install/tools/man/ipa-server-install.1 | 2 +-
ipaserver/install/server/__init__.py| 21 +
3 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index d63912c..7d24132 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -114,7 +114,7 @@ Install and configure a CA on this replica. If a CA is not configured then
certificate operations will be forwarded to a master with a CA installed.
.TP
\fB\-\-no\-pkinit\fR
-Disables pkinit setup steps
+Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0.
.TP
\fB\-\-dirsrv\-cert\-file\fR=FILE
File containing the Directory Server SSL certificate and private key
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index c48bdae..d5d28df 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -93,7 +93,7 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
.TP
\fB\-\-no\-pkinit\fR
-Disables pkinit setup steps
+Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0.
.TP
\fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR
File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.
diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 117f51c..096cb01 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -332,9 +332,24 @@ def dirsrv_config_file(self, value):
if not os.path.exists(value):
raise ValueError("File %s does not exist." % value)
+def _is_promote(self):
+"""
+:returns: True if domain level options correspond to domain level > 0
+"""
+raise NotImplementedError()
+
def __init__(self, **kwargs):
super(ServerInstallInterface, self).__init__(**kwargs)
+# p
[Freeipa-devel] [freeipa PR#669][comment] server: make sure we test for sss_nss_getlistbycert
URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert tiran commented: """ AC_CHECK_LIB only checks for functions in libs. Compilation may still fail if header files and library are not in sync. IMHO we don't have to care about this broken case. LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/669#issuecomment-290011518 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#670][opened] [Py3] session storage parameters must be bytes
URL: https://github.com/freeipa/freeipa/pull/670 Author: tiran Title: #670: [Py3] session storage parameters must be bytes Action: opened PR body: """ Fixes TypeError: bytes or integer address expected instead of str instance Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/670/head:pr670 git checkout pr670 From 6a2e09105dd347d74bc2c8dfbfc5c965d484a7ab Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 29 Mar 2017 09:45:05 +0200 Subject: [PATCH] [Py3] session storage parameters must be bytes Fixes TypeError: bytes or integer address expected instead of str instance Signed-off-by: Christian Heimes --- ipapython/session_storage.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py index 6af064c..1443413 100644 --- a/ipapython/session_storage.py +++ b/ipapython/session_storage.py @@ -214,8 +214,8 @@ def krb5_errcheck(result, func, arguments): krb5_free_unparsed_name.argtypes = (krb5_context, ctypes.c_char_p, ) krb5_free_unparsed_name.restype = None -CONF_REALM = "X-CACHECONF:" -CONF_NAME = "krb5_ccache_conf_data" +CONF_REALM = b"X-CACHECONF:" +CONF_NAME = b"krb5_ccache_conf_data" def store_data(princ_name, key, value): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires abbra commented: """ I submitted https://github.com/freeipa/freeipa/pull/669 for that """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290010251 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#669][opened] server: make sure we test for sss_nss_getlistbycert
URL: https://github.com/freeipa/freeipa/pull/669 Author: abbra Title: #669: server: make sure we test for sss_nss_getlistbycert Action: opened PR body: """ Fixes https://pagure.io/freeipa/issue/6828 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/669/head:pr669 git checkout pr669 From ffca2ba3b77e77bc89e80f48f4a2abe93b70732f Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 29 Mar 2017 10:43:11 +0300 Subject: [PATCH] server: make sure we test for sss_nss_getlistbycert Fixes https://pagure.io/freeipa/issue/6828 --- server.m4 | 5 + 1 file changed, 5 insertions(+) diff --git a/server.m4 b/server.m4 index 5d5333e..346d73e 100644 --- a/server.m4 +++ b/server.m4 @@ -29,6 +29,11 @@ DIRSRV_CFLAGS="$DIRSRV_CFLAGS $NSPR_CFLAGS" dnl -- sss_idmap is needed by the extdom exop -- PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap]) PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.15.2]) +AC_CHECK_LIB([sss_nss_idmap], + [sss_nss_getlistbycert], + [], + [AC_MSG_ERROR([Required sss_nss_getlistbycert symbol in sss_nss_idmap not found])], + []) dnl -- sss_certmap and certauth.h are needed by the IPA KDB certauth plugin -- PKG_CHECK_EXISTS([sss_certmap], -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#593][synchronized] Add make patchcheck for developers
URL: https://github.com/freeipa/freeipa/pull/593
Author: tiran
Title: #593: Add make patchcheck for developers
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/593/head:pr593
git checkout pr593
From 7c1f30c54efdee5ec687659c0ff7426fd1eabc8e Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Wed, 15 Mar 2017 08:31:38 +0100
Subject: [PATCH] Add make patchcheck for developers
Ticket 6604 makes pylint and jsl optional dependencies. The change
is controversal, because some developers prefer that pylint and jsl
should be required unless explicitly disabled.
`make patchcheck` is my answer to address the concerns. It's a superior
solution to `make lint` as pre-commit check. It combines several
additional checks under a single, easy rememberable and convenient make
target:
* build all
* acilint, apiclient, jslint, polint
* make check
* pylint under Python 2 and 3
* subset of unit test suite
https://fedorahosted.org/freeipa/ticket/6604
Signed-off-by: Christian Heimes
---
Makefile.am | 31 ++-
configure.ac | 12
ipatests/util.py | 28 ++--
3 files changed, 56 insertions(+), 15 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index af22315..2097030 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -152,6 +152,35 @@ JSLINT_TARGET = jslint
endif WITH_JSLINT
lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET)
+.PHONY: patchcheck
+patchcheck: all
+if ! WITH_POLINT
+ @echo "ERROR: polint not available"; exit 1
+endif
+if ! WITH_PYLINT
+ @echo "ERROR: pylint not available"; exit 1
+endif
+if ! WITH_JSLINT
+ @echo "ERROR: jslint not available"; exit 1
+endif
+if ! WITH_PYTHON2
+ @echo "ERROR: python2 not available"; exit 1
+endif
+ @ # run all linters, tests, and check with Python 2
+ PYTHONPATH=$(top_srcdir) $(PYTHON2) ipatests/ipa-run-tests \
+ --ipaclient-unittests
+ $(MAKE) $(AM_MAKEFLAGS) acilint apilint polint jslint check
+ $(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) pylint
+if WITH_PYTHON3
+ @ # just tests and pylint on Python 3
+ PYTHONPATH=$(top_srcdir) $(PYTHON3) ipatests/ipa-run-tests \
+ --ipaclient-unittests
+ $(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) pylint
+else
+ @echo "WARNING: python3 not available"
+endif
+ @echo "All tests passed."
+
.PHONY: $(top_builddir)/ipapython/version.py
$(top_builddir)/ipapython/version.py:
(cd $(top_builddir)/ipapython && make version.py)
@@ -188,7 +217,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
-name '*~' -o \
-name '*.py' -print -o \
-type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \
- echo "Pylint is running, please wait ..."; \
+ echo "Pylint on $(PYTHON) is running, please wait ..."; \
PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \
--rcfile=$(top_srcdir)/pylintrc \
--load-plugins pylint_plugins \
diff --git a/configure.ac b/configure.ac
index f5c5270..0174320 100644
--- a/configure.ac
+++ b/configure.ac
@@ -111,6 +111,18 @@ if test "x$PYTHON" = "x" ; then
fi
dnl ---
+dnl - Check for Python 2/3 for patchcheck
+dnl ---
+
+AC_PATH_PROG(PYTHON2, python2)
+AC_SUBST([PYTHON2])
+AM_CONDITIONAL([WITH_PYTHON2], [test "x${PYTHON2}" != "x"])
+
+AC_PATH_PROG(PYTHON3, python3)
+AC_SUBST([PYTHON3])
+AM_CONDITIONAL([WITH_PYTHON3], [test "x${PYTHON3}" != "x"])
+
+dnl ---
dnl - Check for cmocka unit test framework http://cmocka.cryptomilk.org/
dnl ---
PKG_CHECK_EXISTS(cmocka,
diff --git a/ipatests/util.py b/ipatests/util.py
index d877dcc..575d5cc 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -194,9 +194,9 @@ class Fuzzy(object):
Use of a regular expression by default implies the ``unicode`` type, so
comparing with an ``str`` instance will evaluate to ``False``:
->>> phone.type
-
->>> '123-456-7890' == phone
+>>> phone.type is six.text_type
+True
+>>> b'123-456-7890' == phone
False
The *type* kwarg allows you to specify a type constraint, so you can force
@@ -236,15 +236,15 @@ class Fuzzy(object):
>>> fuzzy = Fuzzy('.+', type=str, test=lambda other: True)
>>> fuzzy.regex
'.+'
->>> fuzzy.type
-
+>>> fuzzy.type is str
+True
>>> fuzzy.test # doctest:+ELLIPSIS
at 0x...>
To aid debugging, `Fuzzy.__repr__()` reveals these kwargs as well:
>>> fuzzy # doctest:+ELLIPSIS
-Fuzzy('.+', , at 0x...>)
+Fuzzy('.+', <... 'str'>, at 0x...>)
"""
def __init__(self, regex=None, type=None, test=None):
@@ -344,20 +344,20 @@ def assert_deepequal(expected, got, doc='', stack=tuple()):
If the tests fails, it will raise an ``AssertionEr
[Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires abbra commented: """ No, It will make downstream harder because RHEL downstream will only have 1.15.2 with patches on top of that version. I have a pull request coming that actually checks for a specific function we know is part of those SSSD patches. """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290009593 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires tomaskrizek commented: """ Do we also need to bump the version in `PKG_CHECK_MODULES` in `server.m4:31`? ``` PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.15.2]) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/668#issuecomment-290007481 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 stlaz commented: """ @MartinBasti Even though this commit basically breaks the behavior, it's not in its scope to fix it, it's somehow intended to break it, actually. It will be fixed elsewhere. I fixed the issue with running this on replica and removed one redundant check as well. I also noticed that DL0 replica has a usability issue where it checks for either `*-cert-file` option and requires them all, once it has it, it will say that these options can't be used with replica file. I will not fix that here, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-290005415 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 stlaz commented: """ @MartinBasti Even though this commit basically breaks the behavior, it's not in its scope to fix it, it's somehow intended to break it, actually. It will be fixed elsewhere. I fixed the issue with running this on replica and removed one redundant check as well. I also noticed that DL0 replica has a usability issue where it checks for either `*-cert-file` option and requires them all, once it has it, it will say that these options can't be used with replica file. I will not fix that here, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-290005415 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#668][opened] spec file: bump libsss_nss_idmap-devel BuildRequires
URL: https://github.com/freeipa/freeipa/pull/668 Author: HonzaCholasta Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires Action: opened PR body: """ Bump BuildRequires on libsss_nss_idmap-devel to the version which introduces the sss_nss_getlistbycert function. This fixes RPM build failure when an older version of libsss_nss_idmap-devel was installed. https://pagure.io/freeipa/issue/6826 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/668/head:pr668 git checkout pr668 From 6e689e106deb15043cc0e3d399d7755c24744fc0 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 29 Mar 2017 07:14:24 + Subject: [PATCH] spec file: bump libsss_nss_idmap-devel BuildRequires Bump BuildRequires on libsss_nss_idmap-devel to the version which introduces the sss_nss_getlistbycert function. This fixes RPM build failure when an older version of libsss_nss_idmap-devel was installed. https://pagure.io/freeipa/issue/6826 --- freeipa.spec.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index e7e39e8..829c3f0 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -121,8 +121,8 @@ BuildRequires: libtevent-devel BuildRequires: libuuid-devel BuildRequires: libsss_idmap-devel BuildRequires: libsss_certmap-devel -# 1.14.0: sss_nss_getnamebycert (https://fedorahosted.org/sssd/ticket/2897) -BuildRequires: libsss_nss_idmap-devel >= 1.14.0 +# 1.15.3: sss_nss_getlistbycert (https://pagure.io/SSSD/sssd/issue/3050) +BuildRequires: libsss_nss_idmap-devel >= 1.15.3 BuildRequires: rhino BuildRequires: libverto-devel BuildRequires: libunistring-devel -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#640][synchronized] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640
Author: stlaz
Title: #640: Remove pkinit options from master/replica on DL0
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/640/head:pr640
git checkout pr640
From 53cdc14d5e006634817a1cddfee8954db3434785 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Wed, 22 Mar 2017 17:10:56 +0100
Subject: [PATCH 1/4] Fix the order of cert-files check
Without this patch, if either of dirsrv_cert_files, http_cert_files
or pkinit_cert_files is set along with no-pkinit, the user is first
requested to add the remaining options and when they do that,
they are told that they are using 'no-pkinit' along with
'pkinit-cert-file'.
https://pagure.io/freeipa/issue/6801
---
ipaserver/install/server/__init__.py | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 14f1ec4..117f51c 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -340,16 +340,16 @@ def __init__(self, **kwargs):
cert_file_opt = (self.pkinit_cert_files,)
if not self.no_pkinit:
cert_file_req += cert_file_opt
-if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
-raise RuntimeError(
-"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file "
-"or --no-pkinit are required if any key file options are used."
-)
if self.no_pkinit and self.pkinit_cert_files:
raise RuntimeError(
"--no-pkinit and --pkinit-cert-file cannot be specified "
"together"
)
+if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
+raise RuntimeError(
+"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file "
+"or --no-pkinit are required if any key file options are used."
+)
if not self.interactive:
if self.dirsrv_cert_files and self.dirsrv_pin is None:
From 835dbe9dbecfe02ec26a98d52bb4c8c9c2b4cb8a Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Wed, 22 Mar 2017 17:26:51 +0100
Subject: [PATCH 2/4] Don't allow setting pkinit-related options on DL0
pkinit is not supported on DL0, remove options that allow to set it
from ipa-{server,replica}-install.
https://pagure.io/freeipa/issue/6801
---
install/tools/man/ipa-replica-install.1 | 2 +-
install/tools/man/ipa-server-install.1 | 2 +-
ipaserver/install/server/__init__.py| 16
3 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index d63912c..7d24132 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -114,7 +114,7 @@ Install and configure a CA on this replica. If a CA is not configured then
certificate operations will be forwarded to a master with a CA installed.
.TP
\fB\-\-no\-pkinit\fR
-Disables pkinit setup steps
+Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0.
.TP
\fB\-\-dirsrv\-cert\-file\fR=FILE
File containing the Directory Server SSL certificate and private key
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index c48bdae..d5d28df 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -93,7 +93,7 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
.TP
\fB\-\-no\-pkinit\fR
-Disables pkinit setup steps
+Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0.
.TP
\fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR
File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.
diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 117f51c..6fd4957 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -335,6 +335,22 @@ def dirsrv_config_file(self, value):
def __init__(self, **kwargs):
super(ServerInstallInterface, self).__init__(**kwargs)
+is_dl0 = (
+# in server-install, we have the domain_level option
+(hasattr(self, 'domain_level') and
+ self.domain_level == constants.DOMAIN_LEVEL_0) or
+# on replica we have to decide depending on replica_file appearance
+(ha
