[Freeipa-devel] FreeIPA health check tool PoC
Hi everyone, Some people of our team are working on a simple tool (a PoC actually) for FreeIPA [1]. The idea is to build a tool that can check the state of FreeIPA. In the PoC we are only focusing on certificate related things. What do we have until now? Ideas and some few lines of code. We need more ideas and opinions about the tool. Even though this is just a PoC, do not limit your ideas and proposals because of that. If you have some idea/feature request you can create an issue here: https://github.com/felipevolpone/freeipa-health-checker/issues Also, you can help the project reviewing the code. Any feedback (and PRs) are welcome. How is this tool different from the Diagnostics Tool [2]? At this point, we have just a PoC and we are testing ideas. A proper IPA health check tool would need a bit of design and research. Now, we are only focusing only the checks themselves. [1] https://github.com/felipevolpone/freeipa-health-checker/ [2] http://www.freeipa.org/page/V4/Diagnostics_Tool Best, Felipe Barreto -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#695][synchronized] [4.4] Fix PKCS11 helper
URL: https://github.com/freeipa/freeipa/pull/695 Author: MartinBasti Title: #695: [4.4] Fix PKCS11 helper Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/695/head:pr695 git checkout pr695 From 626890eb13b4663091837a0654d457db0e66c2d7 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 29 Mar 2017 18:53:11 +0200 Subject: [PATCH] Fix PKCS11 helper Slots in HSM are not assigned statically, we have to chose proper slot from token label. Softhsm i2.2.0 changed this behavior and now slots can change over time (it is allowed by pkcs11 standard). Changelog: * created method get_slot() that returns slot number from used label * replaces usage of slot in __init__ method of P11_Helper with label * slot is dynamically detected from token label before session is opened * pkcs11-util --init-token now uses '--free' instead '--slot' which uses first free slot (we don't care about slot numbers anymore) https://pagure.io/freeipa/issue/6692 --- daemons/dnssec/ipa-dnskeysync-replica| 4 +- daemons/dnssec/ipa-ods-exporter | 3 +- ipalib/constants.py | 2 + ipapython/dnssec/localhsm.py | 5 +- ipapython/p11helper.py | 106 --- ipaserver/install/dnskeysyncinstance.py | 10 +-- ipaserver/install/opendnssecinstance.py | 8 +- ipatests/test_ipapython/test_ipap11helper.py | 6 +- 8 files changed, 118 insertions(+), 26 deletions(-) diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica index 69a3a68..3714163 100755 --- a/daemons/dnssec/ipa-dnskeysync-replica +++ b/daemons/dnssec/ipa-dnskeysync-replica @@ -15,6 +15,7 @@ import os import sys import ipalib +from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger, standard_logging_setup from ipapython import ipaldap @@ -154,8 +155,7 @@ ldapkeydb = LdapKeyDB(log, ldap, DN(('cn', 'keys'), ('cn', 'sec'), ipalib.api.env.container_dns, ipalib.api.env.basedn)) -# TODO: slot number could be configurable -localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0, +localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL, open(paths.DNSSEC_SOFTHSM_PIN).read()) ldap2replica_master_keys_sync(log, ldapkeydb, localhsm) diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter index 385764a..77f8c4d 100755 --- a/daemons/dnssec/ipa-ods-exporter +++ b/daemons/dnssec/ipa-ods-exporter @@ -32,6 +32,7 @@ import sqlite3 import traceback import ipalib +from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL from ipapython.dn import DN from ipapython import ipaldap from ipapython import ipautil @@ -645,7 +646,7 @@ log.debug('Connected') ldapkeydb = LdapKeyDB(log, ldap, DN(('cn', 'keys'), ('cn', 'sec'), ipalib.api.env.container_dns, ipalib.api.env.basedn)) -localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0, +localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL, open(paths.DNSSEC_SOFTHSM_PIN).read()) ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) diff --git a/ipalib/constants.py b/ipalib/constants.py index c423117..43f1f3c 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -279,3 +279,5 @@ # regexp definitions PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$' + +SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC' diff --git a/ipapython/dnssec/localhsm.py b/ipapython/dnssec/localhsm.py index 8f18a45..73511e9 100755 --- a/ipapython/dnssec/localhsm.py +++ b/ipapython/dnssec/localhsm.py @@ -89,10 +89,11 @@ def __str__(self): def __repr__(self): return self.__str__() + class LocalHSM(AbstractHSM): -def __init__(self, library, slot, pin): +def __init__(self, library, label, pin): self.cache_replica_pubkeys = None -self.p11 = _ipap11helper.P11_Helper(slot, pin, library) +self.p11 = _ipap11helper.P11_Helper(label, pin, library) self.log = logging.getLogger() def __del__(self): diff --git a/ipapython/p11helper.py b/ipapython/p11helper.py index 5ff9ccc..f193ea7 100644 --- a/ipapython/p11helper.py +++ b/ipapython/p11helper.py @@ -30,6 +30,7 @@ }; typedef unsigned long CK_SLOT_ID; +typedef CK_SLOT_ID *CK_SLOT_ID_PTR; typedef unsigned long CK_SESSION_HANDLE; @@ -43,6 +44,13 @@ typedef unsigned long CK_ATTRIBUTE_TYPE; +typedef unsigned long ck_flags_t; + +typedef unsigned char CK_BBOOL; + +typedef unsigned long int CK_ULONG; +typedef CK_ULONG *CK_ULONG_PTR; + struct _CK_ATTRIBUTE { CK_ATTRIBUTE_TYPE type; @@ -59,6 +67,31 @@ unsigned long ulParameterLen; }; +struct _CK_TOKEN_INFO +{ + unsigned char label[32]; + unsigned char manufacturer_id[32]; + unsigned char model[16]; + unsigned
[Freeipa-devel] [freeipa PR#695][edited] [4.4] Fix PKCS11 helper
URL: https://github.com/freeipa/freeipa/pull/695 Author: MartinBasti Title: #695: [4.4] Fix PKCS11 helper Action: edited Changed field: title Original value: """ Fix PKCS11 helper """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#695][opened] Fix PKCS11 helper
URL: https://github.com/freeipa/freeipa/pull/695 Author: MartinBasti Title: #695: Fix PKCS11 helper Action: opened PR body: """ Slots in HSM are not assigned statically, we have to chose proper slot from token label. Softhsm i2.2.0 changed this behavior and now slots can change over time (it is allowed by pkcs11 standard). Changelog: * created method get_slot() that returns slot number from used label * replaces usage of slot in __init__ method of P11_Helper with label * slot is dynamically detected from token label before session is opened * pkcs11-util --init-token now uses '--free' instead '--slot' which uses first free slot (we don't care about slot numbers anymore) https://pagure.io/freeipa/issue/6692 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/695/head:pr695 git checkout pr695 From 43eb5208abfa5b4e67b10d4fa14b59c5d4e66f31 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 29 Mar 2017 18:53:11 +0200 Subject: [PATCH] Fix PKCS11 helper Slots in HSM are not assigned statically, we have to chose proper slot from token label. Softhsm i2.2.0 changed this behavior and now slots can change over time (it is allowed by pkcs11 standard). Changelog: * created method get_slot() that returns slot number from used label * replaces usage of slot in __init__ method of P11_Helper with label * slot is dynamically detected from token label before session is opened * pkcs11-util --init-token now uses '--free' instead '--slot' which uses first free slot (we don't care about slot numbers anymore) https://pagure.io/freeipa/issue/6692 --- daemons/dnssec/ipa-dnskeysync-replica| 4 +- daemons/dnssec/ipa-ods-exporter | 3 +- ipalib/constants.py | 2 + ipapython/dnssec/localhsm.py | 5 +- ipapython/p11helper.py | 106 --- ipaserver/install/dnskeysyncinstance.py | 10 +-- ipaserver/install/opendnssecinstance.py | 9 ++- ipatests/test_ipapython/test_ipap11helper.py | 6 +- 8 files changed, 119 insertions(+), 26 deletions(-) diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica index 69a3a68..3714163 100755 --- a/daemons/dnssec/ipa-dnskeysync-replica +++ b/daemons/dnssec/ipa-dnskeysync-replica @@ -15,6 +15,7 @@ import os import sys import ipalib +from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger, standard_logging_setup from ipapython import ipaldap @@ -154,8 +155,7 @@ ldapkeydb = LdapKeyDB(log, ldap, DN(('cn', 'keys'), ('cn', 'sec'), ipalib.api.env.container_dns, ipalib.api.env.basedn)) -# TODO: slot number could be configurable -localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0, +localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL, open(paths.DNSSEC_SOFTHSM_PIN).read()) ldap2replica_master_keys_sync(log, ldapkeydb, localhsm) diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter index 385764a..77f8c4d 100755 --- a/daemons/dnssec/ipa-ods-exporter +++ b/daemons/dnssec/ipa-ods-exporter @@ -32,6 +32,7 @@ import sqlite3 import traceback import ipalib +from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL from ipapython.dn import DN from ipapython import ipaldap from ipapython import ipautil @@ -645,7 +646,7 @@ log.debug('Connected') ldapkeydb = LdapKeyDB(log, ldap, DN(('cn', 'keys'), ('cn', 'sec'), ipalib.api.env.container_dns, ipalib.api.env.basedn)) -localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0, +localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL, open(paths.DNSSEC_SOFTHSM_PIN).read()) ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) diff --git a/ipalib/constants.py b/ipalib/constants.py index c423117..43f1f3c 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -279,3 +279,5 @@ # regexp definitions PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$' + +SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC' diff --git a/ipapython/dnssec/localhsm.py b/ipapython/dnssec/localhsm.py index 8f18a45..73511e9 100755 --- a/ipapython/dnssec/localhsm.py +++ b/ipapython/dnssec/localhsm.py @@ -89,10 +89,11 @@ def __str__(self): def __repr__(self): return self.__str__() + class LocalHSM(AbstractHSM): -def __init__(self, library, slot, pin): +def __init__(self, library, label, pin): self.cache_replica_pubkeys = None -self.p11 = _ipap11helper.P11_Helper(slot, pin, library) +self.p11 = _ipap11helper.P11_Helper(label, pin, library) self.log = logging.getLogger() def __del__(self): diff --git a/ipapython/p11helper.py b/ipapython/p11helper.py index 5ff9ccc..f193ea7 100644 --- a/ipapython/p11helper.py +++ b/ipapytho
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install MartinBasti commented: """ `upgrade and transitions between PKINIT configurations` does this cover: - CA-less to CA-full upgrade? - installed 4.4.4 --- upgraded ---> 4.5.0 --- upgraded > 4.5.1 - installed 4.5.0 --- upgraded ---> 4.5.1 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-291960041 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#675][edited] [4.5, master] Fix PKCS11 helper
URL: https://github.com/freeipa/freeipa/pull/675 Author: MartinBasti Title: #675: [4.5, master] Fix PKCS11 helper Action: edited Changed field: title Original value: """ [WIP] Fix PKCS11 helper """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#675][comment] [4.5, master] Fix PKCS11 helper
URL: https://github.com/freeipa/freeipa/pull/675 Title: #675: [4.5, master] Fix PKCS11 helper MartinBasti commented: """ In 50% cases DNSSEC works for me :-). Ready for review. (The issue was unrelated to PKCS11, I had somehow broken machine probably) """ See the full comment at https://github.com/freeipa/freeipa/pull/675#issuecomment-291921421 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#693][+ack] [tests] collect audit.log for easier selinux investigation
URL: https://github.com/freeipa/freeipa/pull/693 Title: #693: [tests] collect audit.log for easier selinux investigation Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#675][synchronized] [WIP] Fix PKCS11 helper
URL: https://github.com/freeipa/freeipa/pull/675 Author: MartinBasti Title: #675: [WIP] Fix PKCS11 helper Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/675/head:pr675 git checkout pr675 From 5d5db000a2ffe5caec234da98279660666177ac1 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 29 Mar 2017 18:53:11 +0200 Subject: [PATCH] Fix PKCS11 helper Slots in HSM are not assigned statically, we have to chose proper slot from token label. Softhsm i2.2.0 changed this behavior and now slots can change over time (it is allowed by pkcs11 standard). Changelog: * created method get_slot() that returns slot number from used label * replaces usage of slot in __init__ method of P11_Helper with label * slot is dynamically detected from token label before session is opened * pkcs11-util --init-token now uses '--free' instead '--slot' which uses first free slot (we don't care about slot numbers anymore) https://pagure.io/freeipa/issue/6692 --- daemons/dnssec/ipa-dnskeysync-replica| 4 +- daemons/dnssec/ipa-ods-exporter | 3 +- ipalib/constants.py | 2 + ipaserver/dnssec/localhsm.py | 5 +- ipaserver/install/dnskeysyncinstance.py | 10 +-- ipaserver/install/opendnssecinstance.py | 8 +- ipaserver/p11helper.py | 106 --- ipatests/test_ipaserver/test_ipap11helper.py | 6 +- 8 files changed, 118 insertions(+), 26 deletions(-) diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica index 9bf19ee..c7b9cf3 100755 --- a/daemons/dnssec/ipa-dnskeysync-replica +++ b/daemons/dnssec/ipa-dnskeysync-replica @@ -15,6 +15,7 @@ import os import sys import ipalib +from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL from ipalib.install.kinit import kinit_keytab from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger, standard_logging_setup @@ -158,8 +159,7 @@ ldapkeydb = LdapKeyDB(log, ldap, DN(('cn', 'keys'), ('cn', 'sec'), ipalib.api.env.container_dns, ipalib.api.env.basedn)) -# TODO: slot number could be configurable -localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0, +localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL, open(paths.DNSSEC_SOFTHSM_PIN).read()) ldap2replica_master_keys_sync(log, ldapkeydb, localhsm) diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter index 260a7b6..6fe11dc 100755 --- a/daemons/dnssec/ipa-ods-exporter +++ b/daemons/dnssec/ipa-ods-exporter @@ -32,6 +32,7 @@ import sqlite3 import traceback import ipalib +from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL from ipalib.install.kinit import kinit_keytab from ipapython.dn import DN from ipapython import ipaldap @@ -647,7 +648,7 @@ log.debug('Connected') ldapkeydb = LdapKeyDB(log, ldap, DN(('cn', 'keys'), ('cn', 'sec'), ipalib.api.env.container_dns, ipalib.api.env.basedn)) -localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0, +localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL, open(paths.DNSSEC_SOFTHSM_PIN).read()) ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) diff --git a/ipalib/constants.py b/ipalib/constants.py index f8a194c..e604bb4 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -313,3 +313,5 @@ '.cache' ) ) + +SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC' diff --git a/ipaserver/dnssec/localhsm.py b/ipaserver/dnssec/localhsm.py index c1e4887..12b40cc 100755 --- a/ipaserver/dnssec/localhsm.py +++ b/ipaserver/dnssec/localhsm.py @@ -89,10 +89,11 @@ def __str__(self): def __repr__(self): return self.__str__() + class LocalHSM(AbstractHSM): -def __init__(self, library, slot, pin): +def __init__(self, library, label, pin): self.cache_replica_pubkeys = None -self.p11 = _ipap11helper.P11_Helper(slot, pin, library) +self.p11 = _ipap11helper.P11_Helper(label, pin, library) self.log = logging.getLogger() def __del__(self): diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index 861a170..3849626 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -23,10 +23,9 @@ from ipaplatform.constants import constants from ipaplatform.paths import paths from ipalib import errors, api +from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL from ipaserver.install.bindinstance import dns_container_exists -softhsm_token_label = u'ipaDNSSEC' -softhsm_slot = 0 replica_keylabel_template = u"dnssec-replica:%s" @@ -254,8 +253,8 @@ def __setup_softhsm(self): command = [ paths.SOFTHSM2_UTIL, '--init-token', -'--slot', str(softhsm_slot), -'--label', so
[Freeipa-devel] [freeipa PR#694][opened] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: opened PR body: """ This PR implements a basic local PKINIT functionality for server install with '--no-pkinit' specified, and replica install against older masters or with '--no-pkinit'. These patches unblock WebUI logins/password auths on masters/replicas in the cases proper PKINIT was not configured for whatever reasons. Nevertheless, there are following things lacking in this PR that I will either push on top of this one or create a new PR: -[ ] removal of anonymous keytab, asi it is now useless (and always was) -[ ] upgrade and transitions between PKINIT configurations -[ ] reporting PKINIT state in LDAP -[ ] API for querying the PKINIT status on all masters http://www.freeipa.org/page/V4/Kerberos_PKINIT """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/694/head:pr694 git checkout pr694 From a3ad3a37972c81dec251c5ad7b1c9795d7ce4581 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 31 Mar 2017 14:14:11 +0200 Subject: [PATCH 1/8] Use only anonymous PKINIT to fetch armor ccache Since the anonymous principal can only use PKINIT to fetch credential cache it makes no sense to try and use its kerberos key to establish FAST channel. We should also be able to use custom PKINIT anchor for the armoring. https://pagure.io/freeipa/issue/6830 --- ipalib/install/kinit.py | 30 +- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py index 1e4d1a8..fb6caee 100644 --- a/ipalib/install/kinit.py +++ b/ipalib/install/kinit.py @@ -7,7 +7,6 @@ import gssapi -from ipalib.constants import ANON_USER from ipaplatform.paths import paths from ipapython.ipa_log_manager import root_logger from ipapython.ipautil import run @@ -97,29 +96,26 @@ def kinit_password(principal, password, ccache_name, config=None, raise RuntimeError(result.error_output) -def kinit_armor(ccache_name): +def kinit_armor(ccache_name, pkinit_anchor=None): """ -perform kinit to obtain anonymous ticket to be used as armor for FAST. +perform anonymous pkinit to obtain anonymous ticket to be used as armor +for FAST. + +:param ccache_name: location of the armor ccache +:param pkinit_anchor: if not None, the location of PKINIT anchor file to +use. Otherwise the value from Kerberos client library configuration is +used + +:raises: CalledProcessError if the anonymous PKINIT fails """ root_logger.debug("Initializing anonymous ccache") env = {'LC_ALL': 'C'} -# try with the keytab first and then again fallback to try with pkinit in -# case someone decided it is fun to remove Anonymous keys from the entry -# or in future pkinit enabled principal enforce the use of pkinit -try: -# Gssapi does not understand anonymous cred use kinit command instead -args = [paths.KINIT, '-k', '-t', paths.ANON_KEYTAB, -ANON_USER, '-c', ccache_name] -run(args, env=env, raiseonerr=True, capture_error=True) -return -except Exception as e: -root_logger.debug("Failed to init Anonymous keytab: %s", e, - exc_info=True) - -root_logger.debug("Fallback to slower Anonymous PKINIT") args = [paths.KINIT, '-n', '-c', ccache_name] +if pkinit_anchor is not None: +args.extend(['-X', 'X509_anchors=FILE:{}'.format(pkinit_anchor)]) + # this workaround enables us to capture stderr and put it # into the raised exception in case of unsuccessful authentication run(args, env=env, raiseonerr=True, capture_error=True) From 4946b1f34dcc50cd46979ed249f308791a5cc397 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 31 Mar 2017 14:44:29 +0200 Subject: [PATCH 2/8] krbinstance: add the ability to record and retrieve PKINIT status An API was added to record the configured PKINIT status in the state file during KDC configuration. The PKINIT feature can have the following states: * full PKINIT: PKINIT certificate was issued by IPA CA and all clients with IPA CA configured as PKINIT trust anchor will be able to perform PKINIT and request anonymous TGT from this KDC * external PKINIT: the PKINIT certificate was provided by a 3rd party in a PKCS#12 bundle and all clients that have its root CA as anchor can request TGTs by PKINIT * local PKINIT: PKINIT certificate was self-signed by KDC's private key. This is a fallback mechanism usable only locally on the master hosting the KDC. Its intended use is to provide FAST armoring for password authenticated requests (e.g. WebUI logins) See http://www.freeipa.org/page/V4/Kerberos_PKINIT#Configuration for more details. https://pagure.io/freeipa/issue/6830 --- ipaserver/install/krbi
[Freeipa-devel] [freeipa PR#694][edited] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: edited Changed field: body Original value: """ This PR implements a basic local PKINIT functionality for server install with '--no-pkinit' specified, and replica install against older masters or with '--no-pkinit'. These patches unblock WebUI logins/password auths on masters/replicas in the cases proper PKINIT was not configured for whatever reasons. Nevertheless, there are following things lacking in this PR that I will either push on top of this one or create a new PR: -[ ] removal of anonymous keytab, asi it is now useless (and always was) -[ ] upgrade and transitions between PKINIT configurations -[ ] reporting PKINIT state in LDAP -[ ] API for querying the PKINIT status on all masters http://www.freeipa.org/page/V4/Kerberos_PKINIT """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#675][synchronized] [WIP] Fix PKCS11 helper
URL: https://github.com/freeipa/freeipa/pull/675 Author: MartinBasti Title: #675: [WIP] Fix PKCS11 helper Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/675/head:pr675 git checkout pr675 From 72283bb7c4e29ec001fa81396c7d1ee09b402e5b Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 29 Mar 2017 18:53:11 +0200 Subject: [PATCH] Fix PKCS11 helper Slots in HSM are not assigned statically, we have to chose proper slot from token label. Softhsm i2.2.0 changed this behavior and now slots can change over time (it is allowed by pkcs11 standard). Changelog: * created method get_slot() that returns slot number from used label * replaces usage of slot in __init__ method of P11_Helper with label * slot is dynamically detected from token label before session is opened * pkcs11-util --init-token now uses '--free' instead '--slot' which uses first free slot (we don't care about slot numbers anymore) https://pagure.io/freeipa/issue/6692 --- daemons/dnssec/ipa-dnskeysync-replica| 4 +- daemons/dnssec/ipa-ods-exporter | 3 +- ipalib/constants.py | 2 + ipaserver/dnssec/localhsm.py | 5 +- ipaserver/install/dnskeysyncinstance.py | 9 +-- ipaserver/install/opendnssecinstance.py | 7 +- ipaserver/p11helper.py | 106 --- ipatests/test_ipaserver/test_ipap11helper.py | 4 +- 8 files changed, 115 insertions(+), 25 deletions(-) diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica index 9bf19ee..c7b9cf3 100755 --- a/daemons/dnssec/ipa-dnskeysync-replica +++ b/daemons/dnssec/ipa-dnskeysync-replica @@ -15,6 +15,7 @@ import os import sys import ipalib +from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL from ipalib.install.kinit import kinit_keytab from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger, standard_logging_setup @@ -158,8 +159,7 @@ ldapkeydb = LdapKeyDB(log, ldap, DN(('cn', 'keys'), ('cn', 'sec'), ipalib.api.env.container_dns, ipalib.api.env.basedn)) -# TODO: slot number could be configurable -localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0, +localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL, open(paths.DNSSEC_SOFTHSM_PIN).read()) ldap2replica_master_keys_sync(log, ldapkeydb, localhsm) diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter index 260a7b6..6fe11dc 100755 --- a/daemons/dnssec/ipa-ods-exporter +++ b/daemons/dnssec/ipa-ods-exporter @@ -32,6 +32,7 @@ import sqlite3 import traceback import ipalib +from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL from ipalib.install.kinit import kinit_keytab from ipapython.dn import DN from ipapython import ipaldap @@ -647,7 +648,7 @@ log.debug('Connected') ldapkeydb = LdapKeyDB(log, ldap, DN(('cn', 'keys'), ('cn', 'sec'), ipalib.api.env.container_dns, ipalib.api.env.basedn)) -localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0, +localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL, open(paths.DNSSEC_SOFTHSM_PIN).read()) ldap2master_replica_keys_sync(log, ldapkeydb, localhsm) diff --git a/ipalib/constants.py b/ipalib/constants.py index f8a194c..e604bb4 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -313,3 +313,5 @@ '.cache' ) ) + +SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC' diff --git a/ipaserver/dnssec/localhsm.py b/ipaserver/dnssec/localhsm.py index c1e4887..12b40cc 100755 --- a/ipaserver/dnssec/localhsm.py +++ b/ipaserver/dnssec/localhsm.py @@ -89,10 +89,11 @@ def __str__(self): def __repr__(self): return self.__str__() + class LocalHSM(AbstractHSM): -def __init__(self, library, slot, pin): +def __init__(self, library, label, pin): self.cache_replica_pubkeys = None -self.p11 = _ipap11helper.P11_Helper(slot, pin, library) +self.p11 = _ipap11helper.P11_Helper(label, pin, library) self.log = logging.getLogger() def __del__(self): diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index 861a170..29c0a4b 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -23,10 +23,9 @@ from ipaplatform.constants import constants from ipaplatform.paths import paths from ipalib import errors, api +from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL from ipaserver.install.bindinstance import dns_container_exists -softhsm_token_label = u'ipaDNSSEC' -softhsm_slot = 0 replica_keylabel_template = u"dnssec-replica:%s" @@ -254,8 +253,8 @@ def __setup_softhsm(self): command = [ paths.SOFTHSM2_UTIL, '--init-token', -'--slot', str(softhsm_slot), -'--label', so
[Freeipa-devel] [freeipa PR#688][synchronized] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
URL: https://github.com/freeipa/freeipa/pull/688 Author: redhatrises Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/688/head:pr688 git checkout pr688 From a5a1428a57dc4191a3853ef628fc5978f1bdd7e9 Mon Sep 17 00:00:00 2001 From: Gabe Date: Wed, 5 Apr 2017 06:50:38 -0600 Subject: [PATCH 1/2] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches - Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting the default value for nsaccountlock to false as well as update the filter to check for the default value --- API.txt | 6 +++--- VERSION.m4| 4 ++-- ipaserver/plugins/baseldap.py | 11 ++- ipaserver/plugins/user.py | 1 + 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index 7850538..fa7582d 100644 --- a/API.txt +++ b/API.txt @@ -5923,7 +5923,7 @@ option: Str('manager?') option: Str('mobile*') option: Flag('no_members', autofill=True, default=False) option: Flag('noprivate', autofill=True, cli_name='noprivate', default=False) -option: Bool('nsaccountlock?', cli_name='disabled') +option: Bool('nsaccountlock?', cli_name='disabled', default=False) option: Str('ou?', cli_name='orgunit') option: Str('pager*') option: Str('postalcode?') @@ -6052,7 +6052,7 @@ option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules') option: Str('not_in_netgroup*', cli_name='not_in_netgroups') option: Str('not_in_role*', cli_name='not_in_roles') option: Str('not_in_sudorule*', cli_name='not_in_sudorules') -option: Bool('nsaccountlock?', autofill=False, cli_name='disabled') +option: Bool('nsaccountlock?', autofill=False, cli_name='disabled', default=False) option: Str('ou?', autofill=False, cli_name='orgunit') option: Str('pager*', autofill=False) option: Flag('pkey_only?', autofill=True, default=False) @@ -6109,7 +6109,7 @@ option: Str('mail*', autofill=False, cli_name='email') option: Str('manager?', autofill=False) option: Str('mobile*', autofill=False) option: Flag('no_members', autofill=True, default=False) -option: Bool('nsaccountlock?', autofill=False, cli_name='disabled') +option: Bool('nsaccountlock?', autofill=False, cli_name='disabled', default=False) option: Str('ou?', autofill=False, cli_name='orgunit') option: Str('pager*', autofill=False) option: Str('postalcode?', autofill=False) diff --git a/VERSION.m4 b/VERSION.m4 index 6ec56c5..87dec0e 100644 --- a/VERSION.m4 +++ b/VERSION.m4 @@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412) # # define(IPA_API_VERSION_MAJOR, 2) -define(IPA_API_VERSION_MINOR, 225) -# Last change: Add --password-expiration option to force password change +define(IPA_API_VERSION_MINOR, 226) +# Last change: Set default value for nsaccountlock to False diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py index dbe3cbd..35ad96f 100644 --- a/ipaserver/plugins/baseldap.py +++ b/ipaserver/plugins/baseldap.py @@ -1937,7 +1937,16 @@ def get_attr_filter(self, ldap, **options): """ search_kw = self.args_options_2_entry(**options) search_kw['objectclass'] = self.obj.object_class -return ldap.make_filter(search_kw, rules=ldap.MATCH_ALL) + +filters = [] +for name, value in search_kw.items(): +default = self.get_default_of(name, **options) +fltr = ldap.make_filter_from_attr(name, value, ldap.MATCH_ALL) +if default is not None and value == default: +fltr = ldap.combine_filters([fltr, '(!({}=*))'.format(name)]) +filters.append(fltr) + +return ldap.combine_filters(filters, rules=ldap.MATCH_ALL) def get_term_filter(self, ldap, term): """ diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py index 9eab521..948a198 100644 --- a/ipaserver/plugins/user.py +++ b/ipaserver/plugins/user.py @@ -380,6 +380,7 @@ class user(baseuser): takes_params = baseuser.takes_params + ( Bool('nsaccountlock?', cli_name=('disabled'), +default=False, label=_('Account disabled'), ), Bool('preserved?', From 9346349d335464caeda6c7e63814e0b7fa39bd51 Mon Sep 17 00:00:00 2001 From: Gabe Date: Wed, 5 Apr 2017 07:24:34 -0600 Subject: [PATCH 2/2] Remove pytest xfail for test_find_enabled_user --- ipatests/test_xmlrpc/test_user_plugin.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index 098163d..7393a23 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -240,9
[Freeipa-devel] [freeipa PR#693][opened] [tests] collect audit.log for easier selinux investigation
URL: https://github.com/freeipa/freeipa/pull/693 Author: MartinBasti Title: #693: [tests] collect audit.log for easier selinux investigation Action: opened PR body: """ Audit log contains useful information about selinux issues """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/693/head:pr693 git checkout pr693 From 5da23c9f552ba9b36536a5821d7b5005dd05a5ea Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 5 Apr 2017 15:11:09 +0200 Subject: [PATCH] [tests] collect audit.log for easier selinux investigation Audit log contains useful information about selinux issues --- ipaplatform/base/paths.py| 1 + ipatests/pytest_plugins/integration/tasks.py | 3 +++ 2 files changed, 4 insertions(+) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 9cf160f..070d3ff 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -295,6 +295,7 @@ class BasePathNamespace(object): SSSD_MC_PASSWD = "/var/lib/sss/mc/passwd" SSSD_PUBCONF_KNOWN_HOSTS = "/var/lib/sss/pubconf/known_hosts" SSSD_PUBCONF_KRB5_INCLUDE_D_DIR = "/var/lib/sss/pubconf/krb5.include.d/" +VAR_LOG_AUDIT = "/var/log/audit/audit.log" DIRSRV_LOCK_DIR = "/var/lock/dirsrv" VAR_LOG_DIRSRV_INSTANCE_TEMPLATE = "/var/log/dirsrv/slapd-%s" SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/access" diff --git a/ipatests/pytest_plugins/integration/tasks.py b/ipatests/pytest_plugins/integration/tasks.py index 382028a..1705e25 100644 --- a/ipatests/pytest_plugins/integration/tasks.py +++ b/ipatests/pytest_plugins/integration/tasks.py @@ -84,6 +84,9 @@ def setup_server_logs_collecting(host): # dogtag logs host.collect_log(os.path.join(paths.VAR_LOG_PKI_DIR)) +# selinux logs +host.collect_log(paths.VAR_LOG_AUDIT) + # SSSD debugging must be set after client is installed (function # setup_sssd_debugging) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#688][edited] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
URL: https://github.com/freeipa/freeipa/pull/688 Author: redhatrises Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Action: edited Changed field: body Original value: """ - Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting nsaccountlock=True if `ipa user-find --disabled=False` is entered in the command line and then search for any case where nsaccountlock != True. This handles the case where nsaccountlock may not exist as an attribute or is False. """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#688][synchronized] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
URL: https://github.com/freeipa/freeipa/pull/688 Author: redhatrises Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/688/head:pr688 git checkout pr688 From a5a1428a57dc4191a3853ef628fc5978f1bdd7e9 Mon Sep 17 00:00:00 2001 From: Gabe Date: Wed, 5 Apr 2017 06:50:38 -0600 Subject: [PATCH] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches - Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting the default value for nsaccountlock to false as well as update the filter to check for the default value --- API.txt | 6 +++--- VERSION.m4| 4 ++-- ipaserver/plugins/baseldap.py | 11 ++- ipaserver/plugins/user.py | 1 + 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index 7850538..fa7582d 100644 --- a/API.txt +++ b/API.txt @@ -5923,7 +5923,7 @@ option: Str('manager?') option: Str('mobile*') option: Flag('no_members', autofill=True, default=False) option: Flag('noprivate', autofill=True, cli_name='noprivate', default=False) -option: Bool('nsaccountlock?', cli_name='disabled') +option: Bool('nsaccountlock?', cli_name='disabled', default=False) option: Str('ou?', cli_name='orgunit') option: Str('pager*') option: Str('postalcode?') @@ -6052,7 +6052,7 @@ option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules') option: Str('not_in_netgroup*', cli_name='not_in_netgroups') option: Str('not_in_role*', cli_name='not_in_roles') option: Str('not_in_sudorule*', cli_name='not_in_sudorules') -option: Bool('nsaccountlock?', autofill=False, cli_name='disabled') +option: Bool('nsaccountlock?', autofill=False, cli_name='disabled', default=False) option: Str('ou?', autofill=False, cli_name='orgunit') option: Str('pager*', autofill=False) option: Flag('pkey_only?', autofill=True, default=False) @@ -6109,7 +6109,7 @@ option: Str('mail*', autofill=False, cli_name='email') option: Str('manager?', autofill=False) option: Str('mobile*', autofill=False) option: Flag('no_members', autofill=True, default=False) -option: Bool('nsaccountlock?', autofill=False, cli_name='disabled') +option: Bool('nsaccountlock?', autofill=False, cli_name='disabled', default=False) option: Str('ou?', autofill=False, cli_name='orgunit') option: Str('pager*', autofill=False) option: Str('postalcode?', autofill=False) diff --git a/VERSION.m4 b/VERSION.m4 index 6ec56c5..87dec0e 100644 --- a/VERSION.m4 +++ b/VERSION.m4 @@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412) # # define(IPA_API_VERSION_MAJOR, 2) -define(IPA_API_VERSION_MINOR, 225) -# Last change: Add --password-expiration option to force password change +define(IPA_API_VERSION_MINOR, 226) +# Last change: Set default value for nsaccountlock to False diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py index dbe3cbd..35ad96f 100644 --- a/ipaserver/plugins/baseldap.py +++ b/ipaserver/plugins/baseldap.py @@ -1937,7 +1937,16 @@ def get_attr_filter(self, ldap, **options): """ search_kw = self.args_options_2_entry(**options) search_kw['objectclass'] = self.obj.object_class -return ldap.make_filter(search_kw, rules=ldap.MATCH_ALL) + +filters = [] +for name, value in search_kw.items(): +default = self.get_default_of(name, **options) +fltr = ldap.make_filter_from_attr(name, value, ldap.MATCH_ALL) +if default is not None and value == default: +fltr = ldap.combine_filters([fltr, '(!({}=*))'.format(name)]) +filters.append(fltr) + +return ldap.combine_filters(filters, rules=ldap.MATCH_ALL) def get_term_filter(self, ldap, term): """ diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py index 9eab521..948a198 100644 --- a/ipaserver/plugins/user.py +++ b/ipaserver/plugins/user.py @@ -380,6 +380,7 @@ class user(baseuser): takes_params = baseuser.takes_params + ( Bool('nsaccountlock?', cli_name=('disabled'), +default=False, label=_('Account disabled'), ), Bool('preserved?', -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][comment] idrange-add: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option flo-renaud commented: """ @martbab thank you for the suggestion. The new test is available in PR #692 """ See the full comment at https://github.com/freeipa/freeipa/pull/667#issuecomment-291843545 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#692][opened] tests: add non-reg for idrange-add
URL: https://github.com/freeipa/freeipa/pull/692 Author: flo-renaud Title: #692: tests: add non-reg for idrange-add Action: opened PR body: """ Add non regression test for issue 6404: when idrange-add is called with empty dom-name, the command returns ipa: ERROR: an internal error has occurred https://pagure.io/freeipa/issue/6404 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/692/head:pr692 git checkout pr692 From ae9c23b2dac14eb60a3ecb52258b01385f734ce8 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Wed, 5 Apr 2017 11:44:08 +0200 Subject: [PATCH] tests: add non-reg for idrange-add Add non regression test for issue 6404: when idrange-add is called with empty dom-name, the command returns ipa: ERROR: an internal error has occurred https://pagure.io/freeipa/issue/6404 --- ipatests/test_xmlrpc/test_range_plugin.py | 49 ++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py index d0f962a..0a8f66b 100644 --- a/ipatests/test_xmlrpc/test_range_plugin.py +++ b/ipatests/test_xmlrpc/test_range_plugin.py @@ -113,6 +113,12 @@ testrange8_base_rid = rid_shift + 700 testrange8_secondary_base_rid = rid_shift + 800 +testrange9 = u'testrange9' +testrange9_base_id = id_shift + 800 +testrange9_size = 50 +testrange9_base_rid = rid_shift + 800 +testrange9_secondary_base_rid = rid_shift + 1800 + # Domain ranges definitions # Domain1 - AD domain nonactive (not present in LDAP) @@ -416,7 +422,8 @@ def teardown_class(cls): cleanup_commands = [ ('idrange_del', [testrange1, testrange2, testrange3, testrange4, - testrange5, testrange6, testrange7, testrange8], + testrange5, testrange6, testrange7, testrange8, + testrange9], {'continue': True}), ('user_del', [user1], {}), ('group_del', [group1], {}), @@ -872,4 +879,44 @@ def teardown_class(cls): 'range.'), ), +# Test for bug 6404 +# if dom-name is empty, add should not fail + +dict( +desc='Create ID range %r' % (testrange9), +command=('idrange_add', [testrange9], + dict(ipanttrusteddomainname=None, + ipabaseid=testrange9_base_id, + ipaidrangesize=testrange9_size, + ipabaserid=testrange9_base_rid, + ipasecondarybaserid=testrange9_secondary_base_rid)), +expected=dict( +result=dict( +dn=DN(('cn', testrange9), ('cn', 'ranges'), ('cn', 'etc'), + api.env.basedn), +cn=[testrange9], +objectclass=[u'ipaIDrange', u'ipadomainidrange'], +ipabaseid=[unicode(testrange9_base_id)], +ipabaserid=[unicode(testrange9_base_rid)], +ipasecondarybaserid=[ +unicode(testrange9_secondary_base_rid)], +ipaidrangesize=[unicode(testrange9_size)], +iparangetyperaw=[u'ipa-local'], +iparangetype=[u'local domain range'], +), +value=testrange9, +summary=u'Added ID range "%s"' % (testrange9), +), +), + +dict( +desc='Delete ID range %r' % testrange9, +command=('idrange_del', [testrange9], {}), +expected=dict( +result=dict(failed=[]), +value=[testrange9], +summary=u'Deleted ID range "%s"' % testrange9, +), +), + ] -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#691][synchronized] Add force-join option to replica install
URL: https://github.com/freeipa/freeipa/pull/691 Author: stlaz Title: #691: Add force-join option to replica install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/691/head:pr691 git checkout pr691 From 90e8c0e7a20d3be6aee18928721de540f6c34bbc Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 5 Apr 2017 09:49:57 +0200 Subject: [PATCH 1/2] Add the force-join option to replica install When installing client from inside replica installation on DL1, it's possible that the client installation would fail and recommend using --force-join option which is not available in replica installer. Add the option there. https://pagure.io/freeipa/issue/6183 --- ipaserver/install/server/__init__.py | 2 +- ipaserver/install/server/replicainstall.py | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 89444f2..028a4aa 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -166,7 +166,6 @@ class ServerInstallInterface(ServerCertificateInstallInterface, """ description = "Server" -force_join = False kinit_attempts = 1 fixed_primary = True ntp_servers = None @@ -526,6 +525,7 @@ class ServerMasterInstall(ServerMasterInstallInterface): Server master installer """ +force_join = False servers = None no_wait_for_dns = True host_password = None diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index f489e69..9fa6960 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -948,6 +948,8 @@ def ensure_enrolled(installer): args.append("--no-sshd") if installer.mkhomedir: args.append("--mkhomedir") +if installer.force_join: +args.append("--force-join") ipautil.run(args, stdin=stdin, nolog=nolog, redirect_output=True) print() From 630815740efb8d83de5f9141f111cbbf34e465cd Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 5 Apr 2017 09:57:44 +0200 Subject: [PATCH 2/2] replicainstall: better client install exception handling The exception handling of client install inside replica installation was rather promiscuous, hungrily eating any possible exception thrown at it. Scoped down the try-except block and reduced its promiscuity. This change should improve the future development experience debugging this part of the code. https://pagure.io/freeipa/issue/6183 --- ipaserver/install/server/replicainstall.py | 83 +++--- 1 file changed, 41 insertions(+), 42 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 9fa6960..88a01be 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -908,52 +908,51 @@ def install_check(installer): def ensure_enrolled(installer): -# Call client install script -service.print_msg("Configuring client side components") +args = [paths.IPA_CLIENT_INSTALL, "--unattended", "--no-ntp"] +stdin = None +nolog = [] + +if installer.domain_name: +args.extend(["--domain", installer.domain_name]) +if installer.server: +args.extend(["--server", installer.server]) +if installer.realm_name: +args.extend(["--realm", installer.realm_name]) +if installer.host_name: +args.extend(["--hostname", installer.host_name]) + +if installer.password: +args.extend(["--password", installer.password]) +nolog.append(installer.password) +else: +if installer.admin_password: +# Always set principal if password was set explicitly, +# the password itself gets passed directly via stdin +args.extend(["--principal", installer.principal or "admin"]) +stdin = installer.admin_password +if installer.keytab: +args.extend(["--keytab", installer.keytab]) + +if installer.no_dns_sshfp: +args.append("--no-dns-sshfp") +if installer.ssh_trust_dns: +args.append("--ssh-trust-dns") +if installer.no_ssh: +args.append("--no-ssh") +if installer.no_sshd: +args.append("--no-sshd") +if installer.mkhomedir: +args.append("--mkhomedir") +if installer.force_join: +args.append("--force-join") + try: +# Call client install script +service.print_msg("Configuring client side components") installer._enrollment_performed = True - -args = [paths.IPA_CLIENT_INSTALL, "--unattended", "--no-ntp"] -stdin = None -nolog = [] - -if installer.domain_name: -args.extend(["--domain", installer.domain_name]) -if installer.server: -a
[Freeipa-devel] [freeipa PR#691][synchronized] Add force-join option to replica install
URL: https://github.com/freeipa/freeipa/pull/691 Author: stlaz Title: #691: Add force-join option to replica install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/691/head:pr691 git checkout pr691 From 6c160dd41b73287fee07345d673adf6e354c6378 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 5 Apr 2017 09:49:57 +0200 Subject: [PATCH 1/2] Add the force-join option to replica install When installing client from inside replica installation on DL1, it's possible that the client installation would fail and recommend using --force-join option which is not available in replica installer. Add the option there. https://pagure.io/freeipa/issue/6183 --- ipaserver/install/server/__init__.py | 4 +++- ipaserver/install/server/replicainstall.py | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 89444f2..98073f8 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -166,7 +166,6 @@ class ServerInstallInterface(ServerCertificateInstallInterface, """ description = "Server" -force_join = False kinit_attempts = 1 fixed_primary = True ntp_servers = None @@ -526,6 +525,7 @@ class ServerMasterInstall(ServerMasterInstallInterface): Server master installer """ +force_join = False servers = None no_wait_for_dns = True host_password = None @@ -595,6 +595,8 @@ class ServerReplicaInstall(ServerReplicaInstallInterface): subject_base = None ca_subject = None +force_join = client.ClientInstallInterface.force_join + admin_password = extend_knob( ServerReplicaInstallInterface.admin_password, description="Kerberos password for the specified admin principal", diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index f489e69..9fa6960 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -948,6 +948,8 @@ def ensure_enrolled(installer): args.append("--no-sshd") if installer.mkhomedir: args.append("--mkhomedir") +if installer.force_join: +args.append("--force-join") ipautil.run(args, stdin=stdin, nolog=nolog, redirect_output=True) print() From b1ebac074d4a8a6207d98cef7ab9162c01458b8b Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 5 Apr 2017 09:57:44 +0200 Subject: [PATCH 2/2] replicainstall: better client install exception handling The exception handling of client install inside replica installation was rather promiscuous, hungrily eating any possible exception thrown at it. Scoped down the try-except block and reduced its promiscuity. This change should improve the future development experience debugging this part of the code. https://pagure.io/freeipa/issue/6183 --- ipaserver/install/server/replicainstall.py | 83 +++--- 1 file changed, 41 insertions(+), 42 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 9fa6960..88a01be 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -908,52 +908,51 @@ def install_check(installer): def ensure_enrolled(installer): -# Call client install script -service.print_msg("Configuring client side components") +args = [paths.IPA_CLIENT_INSTALL, "--unattended", "--no-ntp"] +stdin = None +nolog = [] + +if installer.domain_name: +args.extend(["--domain", installer.domain_name]) +if installer.server: +args.extend(["--server", installer.server]) +if installer.realm_name: +args.extend(["--realm", installer.realm_name]) +if installer.host_name: +args.extend(["--hostname", installer.host_name]) + +if installer.password: +args.extend(["--password", installer.password]) +nolog.append(installer.password) +else: +if installer.admin_password: +# Always set principal if password was set explicitly, +# the password itself gets passed directly via stdin +args.extend(["--principal", installer.principal or "admin"]) +stdin = installer.admin_password +if installer.keytab: +args.extend(["--keytab", installer.keytab]) + +if installer.no_dns_sshfp: +args.append("--no-dns-sshfp") +if installer.ssh_trust_dns: +args.append("--ssh-trust-dns") +if installer.no_ssh: +args.append("--no-ssh") +if installer.no_sshd: +args.append("--no-sshd") +if installer.mkhomedir: +args.append("--mkhomedir") +if installer.force_join: +args.append("--force-join") + try: +# Call client install script +serv
[Freeipa-devel] [freeipa PR#667][comment] idrange-add: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option tomaskrizek commented: """ master: * 70743c8c48db54309a09d510b3a5d8ae86c29e58 idrange-add: properly handle empty --dom-name option ipa-4-5: * 077a61524d79ac5ab6f0eb46450c82ad5594bd2b idrange-add: properly handle empty --dom-name option """ See the full comment at https://github.com/freeipa/freeipa/pull/667#issuecomment-291788105 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][+pushed] idrange-add: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][closed] idrange-add: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Author: flo-renaud Title: #667: idrange-add: properly handle empty --dom-name option Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/667/head:pr667 git checkout pr667 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#691][opened] Add force-join option to replica install
URL: https://github.com/freeipa/freeipa/pull/691 Author: stlaz Title: #691: Add force-join option to replica install Action: opened PR body: """ This patchset adds the force-join option to the replica installer. It also tries to improve the developer's experience by narrowing down the scope of originally an all-eating try-except block. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/691/head:pr691 git checkout pr691 From 19a17dfad96f23c5245b82b1fb555b7508e631dd Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 5 Apr 2017 09:49:57 +0200 Subject: [PATCH 1/2] Add the force-join option to replica install When installing client from inside replica installation on DL1, it's possible that the client installation would fail and recommend using --force-join option which is not available in replica installer. Add the option there. https://pagure.io/freeipa/issue/6183 --- ipaserver/install/server/__init__.py | 5 - ipaserver/install/server/replicainstall.py | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 89444f2..0a1b553 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -166,7 +166,6 @@ class ServerInstallInterface(ServerCertificateInstallInterface, """ description = "Server" -force_join = False kinit_attempts = 1 fixed_primary = True ntp_servers = None @@ -177,6 +176,9 @@ class ServerInstallInterface(ServerCertificateInstallInterface, preserve_sssd = False no_sssd = False +force_join = client.ClientInstallInterface.force_join +force_join = replica_install_only(force_join) + domain_name = client.ClientInstallInterface.domain_name domain_name = extend_knob( domain_name, @@ -526,6 +528,7 @@ class ServerMasterInstall(ServerMasterInstallInterface): Server master installer """ +force_join = False servers = None no_wait_for_dns = True host_password = None diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index f489e69..9fa6960 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -948,6 +948,8 @@ def ensure_enrolled(installer): args.append("--no-sshd") if installer.mkhomedir: args.append("--mkhomedir") +if installer.force_join: +args.append("--force-join") ipautil.run(args, stdin=stdin, nolog=nolog, redirect_output=True) print() From f90f7f131f364f85e087764e9b8dae9dba2a4e0d Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 5 Apr 2017 09:57:44 +0200 Subject: [PATCH 2/2] replicainstall: better client install exception handling The exception handling of client install inside replica installation was rather promiscuous, hungrily eating any possible exception thrown at it. Scoped down the try-except block and reduced its promiscuity. This change should improve the future development experience debugging this part of the code. https://pagure.io/freeipa/issue/6183 --- ipaserver/install/server/replicainstall.py | 83 +++--- 1 file changed, 41 insertions(+), 42 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 9fa6960..88a01be 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -908,52 +908,51 @@ def install_check(installer): def ensure_enrolled(installer): -# Call client install script -service.print_msg("Configuring client side components") +args = [paths.IPA_CLIENT_INSTALL, "--unattended", "--no-ntp"] +stdin = None +nolog = [] + +if installer.domain_name: +args.extend(["--domain", installer.domain_name]) +if installer.server: +args.extend(["--server", installer.server]) +if installer.realm_name: +args.extend(["--realm", installer.realm_name]) +if installer.host_name: +args.extend(["--hostname", installer.host_name]) + +if installer.password: +args.extend(["--password", installer.password]) +nolog.append(installer.password) +else: +if installer.admin_password: +# Always set principal if password was set explicitly, +# the password itself gets passed directly via stdin +args.extend(["--principal", installer.principal or "admin"]) +stdin = installer.admin_password +if installer.keytab: +args.extend(["--keytab", installer.keytab]) + +if installer.no_dns_sshfp: +args.append("--no-dns-sshfp") +if installer.ssh_trust_dns: +args.append("--ssh-trust-dns") +if installer.no_ssh: +args.append("--no-ssh") +if installer.no_sshd: +args.ap
[Freeipa-devel] [freeipa PR#687][closed] Add pki_pin only when needed
URL: https://github.com/freeipa/freeipa/pull/687 Author: stlaz Title: #687: Add pki_pin only when needed Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/687/head:pr687 git checkout pr687 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#687][comment] Add pki_pin only when needed
URL: https://github.com/freeipa/freeipa/pull/687 Title: #687: Add pki_pin only when needed tomaskrizek commented: """ Replica installation with CA and KRA seems to work fine now. """ See the full comment at https://github.com/freeipa/freeipa/pull/687#issuecomment-291786444 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#687][+pushed] Add pki_pin only when needed
URL: https://github.com/freeipa/freeipa/pull/687 Title: #687: Add pki_pin only when needed Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#687][comment] Add pki_pin only when needed
URL: https://github.com/freeipa/freeipa/pull/687 Title: #687: Add pki_pin only when needed tomaskrizek commented: """ master: * 1aa77fe389e957a652c530ec0456ee05467754b3 Add pki_pin only when needed ipa-4-5: * f53c76b1055d4f7b26fc127852a66f942845cbae Add pki_pin only when needed """ See the full comment at https://github.com/freeipa/freeipa/pull/687#issuecomment-291787403 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#687][+ack] Add pki_pin only when needed
URL: https://github.com/freeipa/freeipa/pull/687 Title: #687: Add pki_pin only when needed Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#677][synchronized] cert: defer cert-find result post-processing
URL: https://github.com/freeipa/freeipa/pull/677 Author: HonzaCholasta Title: #677: cert: defer cert-find result post-processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/677/head:pr677 git checkout pr677 From 2a3a05a076590b7d668d7c56a52d23529029cc19 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 30 Mar 2017 08:33:30 + Subject: [PATCH] cert: defer cert-find result post-processing Rather than post-processing the results of each internal search, post-process the combined result. This avoids expensive per-certificate searches on certificates which won't even be included in the combined result when cert-find is executed with the --all option. https://pagure.io/freeipa/issue/6808 --- ipaserver/plugins/cert.py | 93 +++-- ipaserver/plugins/dogtag.py | 10 + 2 files changed, 66 insertions(+), 37 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 5590913..1a425de 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -250,6 +250,11 @@ def normalize_pkidate(value): return datetime.datetime.strptime(value, PKIDATE_FORMAT) +def convert_pkidatetime(value): +value = datetime.datetime.fromtimestamp(int(value) // 1000) +return x509.format_datetime(value) + + def validate_csr(ugettext, csr): """ Ensure the CSR is base64-encoded and can be decoded by our PKCS#10 @@ -1384,18 +1389,7 @@ def _get_cert_key(self, cert): return (DN(cert_obj.issuer), cert_obj.serial_number) -def _get_cert_obj(self, cert, all, raw, pkey_only): -obj = {'certificate': base64.b64encode(cert).decode('ascii')} - -full = not pkey_only and all -if not raw: -self.obj._parse(obj, full) -if not full: -del obj['certificate'] - -return obj - -def _cert_search(self, all, raw, pkey_only, **options): +def _cert_search(self, pkey_only, **options): result = collections.OrderedDict() try: @@ -1404,15 +1398,19 @@ def _cert_search(self, all, raw, pkey_only, **options): return result, False, False try: -key = self._get_cert_key(cert) +issuer, serial_number = self._get_cert_key(cert) except ValueError: return result, True, True -result[key] = self._get_cert_obj(cert, all, raw, pkey_only) +obj = {'serial_number': serial_number} +if not pkey_only: +obj['certificate'] = base64.b64encode(cert).decode('ascii') + +result[issuer, serial_number] = obj return result, False, True -def _ca_search(self, all, raw, pkey_only, exactly, **options): +def _ca_search(self, raw, pkey_only, exactly, **options): ra_options = {} for name in ('revocation_reason', 'issuer', @@ -1445,7 +1443,6 @@ def _ca_search(self, all, raw, pkey_only, exactly, **options): return result, False, complete ca_objs = self.api.Command.ca_find( -all=all, timelimit=0, sizelimit=0, )['result'] @@ -1465,24 +1462,16 @@ def _ca_search(self, all, raw, pkey_only, exactly, **options): obj = {'serial_number': serial_number} else: obj = ra_obj -if all: -obj.update(ra.get_certificate(str(serial_number))) if not raw: obj['issuer'] = issuer obj['subject'] = DN(ra_obj['subject']) +obj['valid_not_before'] = ( +convert_pkidatetime(obj['valid_not_before'])) +obj['valid_not_after'] = ( +convert_pkidatetime(obj['valid_not_after'])) obj['revoked'] = ( ra_obj['status'] in (u'REVOKED', u'REVOKED_EXPIRED')) -if all: -obj['certificate'] = ( -obj['certificate'].replace('\r\n', '')) -self.obj._parse(obj) - -if 'certificate_chain' in ca_obj: -cert = x509.load_certificate(obj['certificate']) -cert_der = cert.public_bytes(serialization.Encoding.DER) -obj['certificate_chain'] = ( -[cert_der] + ca_obj['certificate_chain']) obj['cacn'] = ca_obj['cn'][0] @@ -1490,7 +1479,7 @@ def _ca_search(self, all, raw, pkey_only, exactly, **options): return result, False, complete -def _ldap_search(self, all, raw, pkey_only, no_members, **options): +def _ldap_search(self, all, pkey_only, no_members, **options): ldap = self.api.Backend.ldap2 filters = [] @@ -1549,26 +1538,25 @@ def _ldap_search(self, all, raw, pkey_only, no_members, **options):
[Freeipa-devel] [freeipa PR#667][comment] idrange-add: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option martbab commented: """ @flo-renaud can you please add a test case for this to `ipatests/test_xmlrpc/test_range_plugin.py` so that we do not regress in the future? """ See the full comment at https://github.com/freeipa/freeipa/pull/667#issuecomment-291779673 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#672][comment] IPA-KDB: use relative path in ipa-certmap config snippet
URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet HonzaCholasta commented: """ master: * 6c2772dde52c84024d32533b29e6cbd04c69924a IPA-KDB: use relative path in ipa-certmap config snippet ipa-4-5: * fa46a01c37021e7b2b57fd3092383100e39792fb IPA-KDB: use relative path in ipa-certmap config snippet """ See the full comment at https://github.com/freeipa/freeipa/pull/672#issuecomment-291778291 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#672][closed] IPA-KDB: use relative path in ipa-certmap config snippet
URL: https://github.com/freeipa/freeipa/pull/672 Author: sumit-bose Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/672/head:pr672 git checkout pr672 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#672][+pushed] IPA-KDB: use relative path in ipa-certmap config snippet
URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#672][+ack] IPA-KDB: use relative path in ipa-certmap config snippet
URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code