[Freeipa-devel] FreeIPA health check tool PoC
Hi everyone, Some people of our team are working on a simple tool (a PoC actually) for FreeIPA [1]. The idea is to build a tool that can check the state of FreeIPA. In the PoC we are only focusing on certificate related things. What do we have until now? Ideas and some few lines of code. We need more ideas and opinions about the tool. Even though this is just a PoC, do not limit your ideas and proposals because of that. If you have some idea/feature request you can create an issue here: https://github.com/felipevolpone/freeipa-health-checker/issues Also, you can help the project reviewing the code. Any feedback (and PRs) are welcome. How is this tool different from the Diagnostics Tool [2]? At this point, we have just a PoC and we are testing ideas. A proper IPA health check tool would need a bit of design and research. Now, we are only focusing only the checks themselves. [1] https://github.com/felipevolpone/freeipa-health-checker/ [2] http://www.freeipa.org/page/V4/Diagnostics_Tool Best, Felipe Barreto -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#695][synchronized] [4.4] Fix PKCS11 helper
URL: https://github.com/freeipa/freeipa/pull/695
Author: MartinBasti
Title: #695: [4.4] Fix PKCS11 helper
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/695/head:pr695
git checkout pr695
From 626890eb13b4663091837a0654d457db0e66c2d7 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 29 Mar 2017 18:53:11 +0200
Subject: [PATCH] Fix PKCS11 helper
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.
Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).
Changelog:
* created method get_slot() that returns slot number from
used label
* replaces usage of slot in __init__ method of P11_Helper
with label
* slot is dynamically detected from token label before
session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
which uses first free slot (we don't care about slot numbers
anymore)
https://pagure.io/freeipa/issue/6692
---
daemons/dnssec/ipa-dnskeysync-replica| 4 +-
daemons/dnssec/ipa-ods-exporter | 3 +-
ipalib/constants.py | 2 +
ipapython/dnssec/localhsm.py | 5 +-
ipapython/p11helper.py | 106 ---
ipaserver/install/dnskeysyncinstance.py | 10 +--
ipaserver/install/opendnssecinstance.py | 8 +-
ipatests/test_ipapython/test_ipap11helper.py | 6 +-
8 files changed, 118 insertions(+), 26 deletions(-)
diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica
index 69a3a68..3714163 100755
--- a/daemons/dnssec/ipa-dnskeysync-replica
+++ b/daemons/dnssec/ipa-dnskeysync-replica
@@ -15,6 +15,7 @@ import os
import sys
import ipalib
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipapython.dn import DN
from ipapython.ipa_log_manager import root_logger, standard_logging_setup
from ipapython import ipaldap
@@ -154,8 +155,7 @@ ldapkeydb = LdapKeyDB(log, ldap,
DN(('cn', 'keys'), ('cn', 'sec'), ipalib.api.env.container_dns,
ipalib.api.env.basedn))
-# TODO: slot number could be configurable
-localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0,
+localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL,
open(paths.DNSSEC_SOFTHSM_PIN).read())
ldap2replica_master_keys_sync(log, ldapkeydb, localhsm)
diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
index 385764a..77f8c4d 100755
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -32,6 +32,7 @@ import sqlite3
import traceback
import ipalib
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipapython.dn import DN
from ipapython import ipaldap
from ipapython import ipautil
@@ -645,7 +646,7 @@ log.debug('Connected')
ldapkeydb = LdapKeyDB(log, ldap, DN(('cn', 'keys'), ('cn', 'sec'),
ipalib.api.env.container_dns,
ipalib.api.env.basedn))
-localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0,
+localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL,
open(paths.DNSSEC_SOFTHSM_PIN).read())
ldap2master_replica_keys_sync(log, ldapkeydb, localhsm)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index c423117..43f1f3c 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -279,3 +279,5 @@
# regexp definitions
PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$'
+
+SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC'
diff --git a/ipapython/dnssec/localhsm.py b/ipapython/dnssec/localhsm.py
index 8f18a45..73511e9 100755
--- a/ipapython/dnssec/localhsm.py
+++ b/ipapython/dnssec/localhsm.py
@@ -89,10 +89,11 @@ def __str__(self):
def __repr__(self):
return self.__str__()
+
class LocalHSM(AbstractHSM):
-def __init__(self, library, slot, pin):
+def __init__(self, library, label, pin):
self.cache_replica_pubkeys = None
-self.p11 = _ipap11helper.P11_Helper(slot, pin, library)
+self.p11 = _ipap11helper.P11_Helper(label, pin, library)
self.log = logging.getLogger()
def __del__(self):
diff --git a/ipapython/p11helper.py b/ipapython/p11helper.py
index 5ff9ccc..f193ea7 100644
--- a/ipapython/p11helper.py
+++ b/ipapython/p11helper.py
@@ -30,6 +30,7 @@
};
typedef unsigned long CK_SLOT_ID;
+typedef CK_SLOT_ID *CK_SLOT_ID_PTR;
typedef unsigned long CK_SESSION_HANDLE;
@@ -43,6 +44,13 @@
typedef unsigned long CK_ATTRIBUTE_TYPE;
+typedef unsigned long ck_flags_t;
+
+typedef unsigned char CK_BBOOL;
+
+typedef unsigned long int CK_ULONG;
+typedef CK_ULONG *CK_ULONG_PTR;
+
struct _CK_ATTRIBUTE
{
CK_ATTRIBUTE_TYPE type;
@@ -59,6 +67,31 @@
unsigned long ulParameterLen;
};
+struct _CK_TOKEN_INFO
+{
+ unsigned char label[32];
+ unsigned char manufacturer_id[32];
+ unsigned char model[16];
+ unsigned
[Freeipa-devel] [freeipa PR#695][edited] [4.4] Fix PKCS11 helper
URL: https://github.com/freeipa/freeipa/pull/695 Author: MartinBasti Title: #695: [4.4] Fix PKCS11 helper Action: edited Changed field: title Original value: """ Fix PKCS11 helper """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#695][opened] Fix PKCS11 helper
URL: https://github.com/freeipa/freeipa/pull/695
Author: MartinBasti
Title: #695: Fix PKCS11 helper
Action: opened
PR body:
"""
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.
Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).
Changelog:
* created method get_slot() that returns slot number from
used label
* replaces usage of slot in __init__ method of P11_Helper
with label
* slot is dynamically detected from token label before
session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
which uses first free slot (we don't care about slot numbers
anymore)
https://pagure.io/freeipa/issue/6692
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/695/head:pr695
git checkout pr695
From 43eb5208abfa5b4e67b10d4fa14b59c5d4e66f31 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 29 Mar 2017 18:53:11 +0200
Subject: [PATCH] Fix PKCS11 helper
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.
Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).
Changelog:
* created method get_slot() that returns slot number from
used label
* replaces usage of slot in __init__ method of P11_Helper
with label
* slot is dynamically detected from token label before
session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
which uses first free slot (we don't care about slot numbers
anymore)
https://pagure.io/freeipa/issue/6692
---
daemons/dnssec/ipa-dnskeysync-replica| 4 +-
daemons/dnssec/ipa-ods-exporter | 3 +-
ipalib/constants.py | 2 +
ipapython/dnssec/localhsm.py | 5 +-
ipapython/p11helper.py | 106 ---
ipaserver/install/dnskeysyncinstance.py | 10 +--
ipaserver/install/opendnssecinstance.py | 9 ++-
ipatests/test_ipapython/test_ipap11helper.py | 6 +-
8 files changed, 119 insertions(+), 26 deletions(-)
diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica
index 69a3a68..3714163 100755
--- a/daemons/dnssec/ipa-dnskeysync-replica
+++ b/daemons/dnssec/ipa-dnskeysync-replica
@@ -15,6 +15,7 @@ import os
import sys
import ipalib
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipapython.dn import DN
from ipapython.ipa_log_manager import root_logger, standard_logging_setup
from ipapython import ipaldap
@@ -154,8 +155,7 @@ ldapkeydb = LdapKeyDB(log, ldap,
DN(('cn', 'keys'), ('cn', 'sec'), ipalib.api.env.container_dns,
ipalib.api.env.basedn))
-# TODO: slot number could be configurable
-localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0,
+localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL,
open(paths.DNSSEC_SOFTHSM_PIN).read())
ldap2replica_master_keys_sync(log, ldapkeydb, localhsm)
diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
index 385764a..77f8c4d 100755
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -32,6 +32,7 @@ import sqlite3
import traceback
import ipalib
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipapython.dn import DN
from ipapython import ipaldap
from ipapython import ipautil
@@ -645,7 +646,7 @@ log.debug('Connected')
ldapkeydb = LdapKeyDB(log, ldap, DN(('cn', 'keys'), ('cn', 'sec'),
ipalib.api.env.container_dns,
ipalib.api.env.basedn))
-localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0,
+localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL,
open(paths.DNSSEC_SOFTHSM_PIN).read())
ldap2master_replica_keys_sync(log, ldapkeydb, localhsm)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index c423117..43f1f3c 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -279,3 +279,5 @@
# regexp definitions
PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$'
+
+SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC'
diff --git a/ipapython/dnssec/localhsm.py b/ipapython/dnssec/localhsm.py
index 8f18a45..73511e9 100755
--- a/ipapython/dnssec/localhsm.py
+++ b/ipapython/dnssec/localhsm.py
@@ -89,10 +89,11 @@ def __str__(self):
def __repr__(self):
return self.__str__()
+
class LocalHSM(AbstractHSM):
-def __init__(self, library, slot, pin):
+def __init__(self, library, label, pin):
self.cache_replica_pubkeys = None
-self.p11 = _ipap11helper.P11_Helper(slot, pin, library)
+self.p11 = _ipap11helper.P11_Helper(label, pin, library)
self.log = logging.getLogger()
def __del__(self):
diff --git a/ipapython/p11helper.py b/ipapython/p11helper.py
index 5ff9ccc..f193ea7 100644
--- a/ipapython/p11helper.py
+++ b/ipapytho
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install MartinBasti commented: """ `upgrade and transitions between PKINIT configurations` does this cover: - CA-less to CA-full upgrade? - installed 4.4.4 --- upgraded ---> 4.5.0 --- upgraded > 4.5.1 - installed 4.5.0 --- upgraded ---> 4.5.1 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-291960041 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#675][edited] [4.5, master] Fix PKCS11 helper
URL: https://github.com/freeipa/freeipa/pull/675 Author: MartinBasti Title: #675: [4.5, master] Fix PKCS11 helper Action: edited Changed field: title Original value: """ [WIP] Fix PKCS11 helper """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#675][comment] [4.5, master] Fix PKCS11 helper
URL: https://github.com/freeipa/freeipa/pull/675 Title: #675: [4.5, master] Fix PKCS11 helper MartinBasti commented: """ In 50% cases DNSSEC works for me :-). Ready for review. (The issue was unrelated to PKCS11, I had somehow broken machine probably) """ See the full comment at https://github.com/freeipa/freeipa/pull/675#issuecomment-291921421 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#693][+ack] [tests] collect audit.log for easier selinux investigation
URL: https://github.com/freeipa/freeipa/pull/693 Title: #693: [tests] collect audit.log for easier selinux investigation Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#675][synchronized] [WIP] Fix PKCS11 helper
URL: https://github.com/freeipa/freeipa/pull/675
Author: MartinBasti
Title: #675: [WIP] Fix PKCS11 helper
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/675/head:pr675
git checkout pr675
From 5d5db000a2ffe5caec234da98279660666177ac1 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 29 Mar 2017 18:53:11 +0200
Subject: [PATCH] Fix PKCS11 helper
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.
Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).
Changelog:
* created method get_slot() that returns slot number from
used label
* replaces usage of slot in __init__ method of P11_Helper
with label
* slot is dynamically detected from token label before
session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
which uses first free slot (we don't care about slot numbers
anymore)
https://pagure.io/freeipa/issue/6692
---
daemons/dnssec/ipa-dnskeysync-replica| 4 +-
daemons/dnssec/ipa-ods-exporter | 3 +-
ipalib/constants.py | 2 +
ipaserver/dnssec/localhsm.py | 5 +-
ipaserver/install/dnskeysyncinstance.py | 10 +--
ipaserver/install/opendnssecinstance.py | 8 +-
ipaserver/p11helper.py | 106 ---
ipatests/test_ipaserver/test_ipap11helper.py | 6 +-
8 files changed, 118 insertions(+), 26 deletions(-)
diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica
index 9bf19ee..c7b9cf3 100755
--- a/daemons/dnssec/ipa-dnskeysync-replica
+++ b/daemons/dnssec/ipa-dnskeysync-replica
@@ -15,6 +15,7 @@ import os
import sys
import ipalib
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipalib.install.kinit import kinit_keytab
from ipapython.dn import DN
from ipapython.ipa_log_manager import root_logger, standard_logging_setup
@@ -158,8 +159,7 @@ ldapkeydb = LdapKeyDB(log, ldap,
DN(('cn', 'keys'), ('cn', 'sec'), ipalib.api.env.container_dns,
ipalib.api.env.basedn))
-# TODO: slot number could be configurable
-localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0,
+localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL,
open(paths.DNSSEC_SOFTHSM_PIN).read())
ldap2replica_master_keys_sync(log, ldapkeydb, localhsm)
diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
index 260a7b6..6fe11dc 100755
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -32,6 +32,7 @@ import sqlite3
import traceback
import ipalib
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipalib.install.kinit import kinit_keytab
from ipapython.dn import DN
from ipapython import ipaldap
@@ -647,7 +648,7 @@ log.debug('Connected')
ldapkeydb = LdapKeyDB(log, ldap, DN(('cn', 'keys'), ('cn', 'sec'),
ipalib.api.env.container_dns,
ipalib.api.env.basedn))
-localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0,
+localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL,
open(paths.DNSSEC_SOFTHSM_PIN).read())
ldap2master_replica_keys_sync(log, ldapkeydb, localhsm)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index f8a194c..e604bb4 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -313,3 +313,5 @@
'.cache'
)
)
+
+SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC'
diff --git a/ipaserver/dnssec/localhsm.py b/ipaserver/dnssec/localhsm.py
index c1e4887..12b40cc 100755
--- a/ipaserver/dnssec/localhsm.py
+++ b/ipaserver/dnssec/localhsm.py
@@ -89,10 +89,11 @@ def __str__(self):
def __repr__(self):
return self.__str__()
+
class LocalHSM(AbstractHSM):
-def __init__(self, library, slot, pin):
+def __init__(self, library, label, pin):
self.cache_replica_pubkeys = None
-self.p11 = _ipap11helper.P11_Helper(slot, pin, library)
+self.p11 = _ipap11helper.P11_Helper(label, pin, library)
self.log = logging.getLogger()
def __del__(self):
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 861a170..3849626 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -23,10 +23,9 @@
from ipaplatform.constants import constants
from ipaplatform.paths import paths
from ipalib import errors, api
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipaserver.install.bindinstance import dns_container_exists
-softhsm_token_label = u'ipaDNSSEC'
-softhsm_slot = 0
replica_keylabel_template = u"dnssec-replica:%s"
@@ -254,8 +253,8 @@ def __setup_softhsm(self):
command = [
paths.SOFTHSM2_UTIL,
'--init-token',
-'--slot', str(softhsm_slot),
-'--label', so
[Freeipa-devel] [freeipa PR#694][opened] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: opened
PR body:
"""
This PR implements a basic local PKINIT functionality for server install with
'--no-pkinit' specified, and replica install against older masters or with
'--no-pkinit'.
These patches unblock WebUI logins/password auths on masters/replicas in the
cases proper PKINIT was not configured for whatever reasons.
Nevertheless, there are following things lacking in this PR that I will either
push on top of this one or create a new PR:
-[ ] removal of anonymous keytab, asi it is now useless (and always was)
-[ ] upgrade and transitions between PKINIT configurations
-[ ] reporting PKINIT state in LDAP
-[ ] API for querying the PKINIT status on all masters
http://www.freeipa.org/page/V4/Kerberos_PKINIT
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/694/head:pr694
git checkout pr694
From a3ad3a37972c81dec251c5ad7b1c9795d7ce4581 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Fri, 31 Mar 2017 14:14:11 +0200
Subject: [PATCH 1/8] Use only anonymous PKINIT to fetch armor ccache
Since the anonymous principal can only use PKINIT to fetch credential
cache it makes no sense to try and use its kerberos key to establish
FAST channel.
We should also be able to use custom PKINIT anchor for the armoring.
https://pagure.io/freeipa/issue/6830
---
ipalib/install/kinit.py | 30 +-
1 file changed, 13 insertions(+), 17 deletions(-)
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
index 1e4d1a8..fb6caee 100644
--- a/ipalib/install/kinit.py
+++ b/ipalib/install/kinit.py
@@ -7,7 +7,6 @@
import gssapi
-from ipalib.constants import ANON_USER
from ipaplatform.paths import paths
from ipapython.ipa_log_manager import root_logger
from ipapython.ipautil import run
@@ -97,29 +96,26 @@ def kinit_password(principal, password, ccache_name, config=None,
raise RuntimeError(result.error_output)
-def kinit_armor(ccache_name):
+def kinit_armor(ccache_name, pkinit_anchor=None):
"""
-perform kinit to obtain anonymous ticket to be used as armor for FAST.
+perform anonymous pkinit to obtain anonymous ticket to be used as armor
+for FAST.
+
+:param ccache_name: location of the armor ccache
+:param pkinit_anchor: if not None, the location of PKINIT anchor file to
+use. Otherwise the value from Kerberos client library configuration is
+used
+
+:raises: CalledProcessError if the anonymous PKINIT fails
"""
root_logger.debug("Initializing anonymous ccache")
env = {'LC_ALL': 'C'}
-# try with the keytab first and then again fallback to try with pkinit in
-# case someone decided it is fun to remove Anonymous keys from the entry
-# or in future pkinit enabled principal enforce the use of pkinit
-try:
-# Gssapi does not understand anonymous cred use kinit command instead
-args = [paths.KINIT, '-k', '-t', paths.ANON_KEYTAB,
-ANON_USER, '-c', ccache_name]
-run(args, env=env, raiseonerr=True, capture_error=True)
-return
-except Exception as e:
-root_logger.debug("Failed to init Anonymous keytab: %s", e,
- exc_info=True)
-
-root_logger.debug("Fallback to slower Anonymous PKINIT")
args = [paths.KINIT, '-n', '-c', ccache_name]
+if pkinit_anchor is not None:
+args.extend(['-X', 'X509_anchors=FILE:{}'.format(pkinit_anchor)])
+
# this workaround enables us to capture stderr and put it
# into the raised exception in case of unsuccessful authentication
run(args, env=env, raiseonerr=True, capture_error=True)
From 4946b1f34dcc50cd46979ed249f308791a5cc397 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Fri, 31 Mar 2017 14:44:29 +0200
Subject: [PATCH 2/8] krbinstance: add the ability to record and retrieve
PKINIT status
An API was added to record the configured PKINIT status in the state
file during KDC configuration. The PKINIT feature can have the following
states:
* full PKINIT: PKINIT certificate was issued by IPA CA and all
clients with IPA CA configured as PKINIT trust anchor will be able
to perform PKINIT and request anonymous TGT from this KDC
* external PKINIT: the PKINIT certificate was provided by a 3rd party
in a PKCS#12 bundle and all clients that have its root CA as anchor
can request TGTs by PKINIT
* local PKINIT: PKINIT certificate was self-signed by KDC's private
key. This is a fallback mechanism usable only locally on the master
hosting the KDC. Its intended use is to provide FAST armoring for
password authenticated requests (e.g. WebUI logins)
See http://www.freeipa.org/page/V4/Kerberos_PKINIT#Configuration for
more details.
https://pagure.io/freeipa/issue/6830
---
ipaserver/install/krbi
[Freeipa-devel] [freeipa PR#694][edited] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: edited Changed field: body Original value: """ This PR implements a basic local PKINIT functionality for server install with '--no-pkinit' specified, and replica install against older masters or with '--no-pkinit'. These patches unblock WebUI logins/password auths on masters/replicas in the cases proper PKINIT was not configured for whatever reasons. Nevertheless, there are following things lacking in this PR that I will either push on top of this one or create a new PR: -[ ] removal of anonymous keytab, asi it is now useless (and always was) -[ ] upgrade and transitions between PKINIT configurations -[ ] reporting PKINIT state in LDAP -[ ] API for querying the PKINIT status on all masters http://www.freeipa.org/page/V4/Kerberos_PKINIT """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#675][synchronized] [WIP] Fix PKCS11 helper
URL: https://github.com/freeipa/freeipa/pull/675
Author: MartinBasti
Title: #675: [WIP] Fix PKCS11 helper
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/675/head:pr675
git checkout pr675
From 72283bb7c4e29ec001fa81396c7d1ee09b402e5b Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 29 Mar 2017 18:53:11 +0200
Subject: [PATCH] Fix PKCS11 helper
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.
Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).
Changelog:
* created method get_slot() that returns slot number from
used label
* replaces usage of slot in __init__ method of P11_Helper
with label
* slot is dynamically detected from token label before
session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
which uses first free slot (we don't care about slot numbers
anymore)
https://pagure.io/freeipa/issue/6692
---
daemons/dnssec/ipa-dnskeysync-replica| 4 +-
daemons/dnssec/ipa-ods-exporter | 3 +-
ipalib/constants.py | 2 +
ipaserver/dnssec/localhsm.py | 5 +-
ipaserver/install/dnskeysyncinstance.py | 9 +--
ipaserver/install/opendnssecinstance.py | 7 +-
ipaserver/p11helper.py | 106 ---
ipatests/test_ipaserver/test_ipap11helper.py | 4 +-
8 files changed, 115 insertions(+), 25 deletions(-)
diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica
index 9bf19ee..c7b9cf3 100755
--- a/daemons/dnssec/ipa-dnskeysync-replica
+++ b/daemons/dnssec/ipa-dnskeysync-replica
@@ -15,6 +15,7 @@ import os
import sys
import ipalib
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipalib.install.kinit import kinit_keytab
from ipapython.dn import DN
from ipapython.ipa_log_manager import root_logger, standard_logging_setup
@@ -158,8 +159,7 @@ ldapkeydb = LdapKeyDB(log, ldap,
DN(('cn', 'keys'), ('cn', 'sec'), ipalib.api.env.container_dns,
ipalib.api.env.basedn))
-# TODO: slot number could be configurable
-localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0,
+localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL,
open(paths.DNSSEC_SOFTHSM_PIN).read())
ldap2replica_master_keys_sync(log, ldapkeydb, localhsm)
diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
index 260a7b6..6fe11dc 100755
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -32,6 +32,7 @@ import sqlite3
import traceback
import ipalib
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipalib.install.kinit import kinit_keytab
from ipapython.dn import DN
from ipapython import ipaldap
@@ -647,7 +648,7 @@ log.debug('Connected')
ldapkeydb = LdapKeyDB(log, ldap, DN(('cn', 'keys'), ('cn', 'sec'),
ipalib.api.env.container_dns,
ipalib.api.env.basedn))
-localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0,
+localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL,
open(paths.DNSSEC_SOFTHSM_PIN).read())
ldap2master_replica_keys_sync(log, ldapkeydb, localhsm)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index f8a194c..e604bb4 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -313,3 +313,5 @@
'.cache'
)
)
+
+SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC'
diff --git a/ipaserver/dnssec/localhsm.py b/ipaserver/dnssec/localhsm.py
index c1e4887..12b40cc 100755
--- a/ipaserver/dnssec/localhsm.py
+++ b/ipaserver/dnssec/localhsm.py
@@ -89,10 +89,11 @@ def __str__(self):
def __repr__(self):
return self.__str__()
+
class LocalHSM(AbstractHSM):
-def __init__(self, library, slot, pin):
+def __init__(self, library, label, pin):
self.cache_replica_pubkeys = None
-self.p11 = _ipap11helper.P11_Helper(slot, pin, library)
+self.p11 = _ipap11helper.P11_Helper(label, pin, library)
self.log = logging.getLogger()
def __del__(self):
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 861a170..29c0a4b 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -23,10 +23,9 @@
from ipaplatform.constants import constants
from ipaplatform.paths import paths
from ipalib import errors, api
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipaserver.install.bindinstance import dns_container_exists
-softhsm_token_label = u'ipaDNSSEC'
-softhsm_slot = 0
replica_keylabel_template = u"dnssec-replica:%s"
@@ -254,8 +253,8 @@ def __setup_softhsm(self):
command = [
paths.SOFTHSM2_UTIL,
'--init-token',
-'--slot', str(softhsm_slot),
-'--label', so
[Freeipa-devel] [freeipa PR#688][synchronized] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
URL: https://github.com/freeipa/freeipa/pull/688
Author: redhatrises
Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user
searches
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/688/head:pr688
git checkout pr688
From a5a1428a57dc4191a3853ef628fc5978f1bdd7e9 Mon Sep 17 00:00:00 2001
From: Gabe
Date: Wed, 5 Apr 2017 06:50:38 -0600
Subject: [PATCH 1/2] Update get_attr_filter in LDAPSearch to handle
nsaccountlock user searches
- Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting the default value for
nsaccountlock to false as well as update the filter to check for the default value
---
API.txt | 6 +++---
VERSION.m4| 4 ++--
ipaserver/plugins/baseldap.py | 11 ++-
ipaserver/plugins/user.py | 1 +
4 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/API.txt b/API.txt
index 7850538..fa7582d 100644
--- a/API.txt
+++ b/API.txt
@@ -5923,7 +5923,7 @@ option: Str('manager?')
option: Str('mobile*')
option: Flag('no_members', autofill=True, default=False)
option: Flag('noprivate', autofill=True, cli_name='noprivate', default=False)
-option: Bool('nsaccountlock?', cli_name='disabled')
+option: Bool('nsaccountlock?', cli_name='disabled', default=False)
option: Str('ou?', cli_name='orgunit')
option: Str('pager*')
option: Str('postalcode?')
@@ -6052,7 +6052,7 @@ option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules')
option: Str('not_in_netgroup*', cli_name='not_in_netgroups')
option: Str('not_in_role*', cli_name='not_in_roles')
option: Str('not_in_sudorule*', cli_name='not_in_sudorules')
-option: Bool('nsaccountlock?', autofill=False, cli_name='disabled')
+option: Bool('nsaccountlock?', autofill=False, cli_name='disabled', default=False)
option: Str('ou?', autofill=False, cli_name='orgunit')
option: Str('pager*', autofill=False)
option: Flag('pkey_only?', autofill=True, default=False)
@@ -6109,7 +6109,7 @@ option: Str('mail*', autofill=False, cli_name='email')
option: Str('manager?', autofill=False)
option: Str('mobile*', autofill=False)
option: Flag('no_members', autofill=True, default=False)
-option: Bool('nsaccountlock?', autofill=False, cli_name='disabled')
+option: Bool('nsaccountlock?', autofill=False, cli_name='disabled', default=False)
option: Str('ou?', autofill=False, cli_name='orgunit')
option: Str('pager*', autofill=False)
option: Str('postalcode?', autofill=False)
diff --git a/VERSION.m4 b/VERSION.m4
index 6ec56c5..87dec0e 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412)
# #
define(IPA_API_VERSION_MAJOR, 2)
-define(IPA_API_VERSION_MINOR, 225)
-# Last change: Add --password-expiration option to force password change
+define(IPA_API_VERSION_MINOR, 226)
+# Last change: Set default value for nsaccountlock to False
diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index dbe3cbd..35ad96f 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -1937,7 +1937,16 @@ def get_attr_filter(self, ldap, **options):
"""
search_kw = self.args_options_2_entry(**options)
search_kw['objectclass'] = self.obj.object_class
-return ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
+
+filters = []
+for name, value in search_kw.items():
+default = self.get_default_of(name, **options)
+fltr = ldap.make_filter_from_attr(name, value, ldap.MATCH_ALL)
+if default is not None and value == default:
+fltr = ldap.combine_filters([fltr, '(!({}=*))'.format(name)])
+filters.append(fltr)
+
+return ldap.combine_filters(filters, rules=ldap.MATCH_ALL)
def get_term_filter(self, ldap, term):
"""
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 9eab521..948a198 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -380,6 +380,7 @@ class user(baseuser):
takes_params = baseuser.takes_params + (
Bool('nsaccountlock?',
cli_name=('disabled'),
+default=False,
label=_('Account disabled'),
),
Bool('preserved?',
From 9346349d335464caeda6c7e63814e0b7fa39bd51 Mon Sep 17 00:00:00 2001
From: Gabe
Date: Wed, 5 Apr 2017 07:24:34 -0600
Subject: [PATCH 2/2] Remove pytest xfail for test_find_enabled_user
---
ipatests/test_xmlrpc/test_user_plugin.py | 3 ---
1 file changed, 3 deletions(-)
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index 098163d..7393a23 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -240,9
[Freeipa-devel] [freeipa PR#693][opened] [tests] collect audit.log for easier selinux investigation
URL: https://github.com/freeipa/freeipa/pull/693 Author: MartinBasti Title: #693: [tests] collect audit.log for easier selinux investigation Action: opened PR body: """ Audit log contains useful information about selinux issues """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/693/head:pr693 git checkout pr693 From 5da23c9f552ba9b36536a5821d7b5005dd05a5ea Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 5 Apr 2017 15:11:09 +0200 Subject: [PATCH] [tests] collect audit.log for easier selinux investigation Audit log contains useful information about selinux issues --- ipaplatform/base/paths.py| 1 + ipatests/pytest_plugins/integration/tasks.py | 3 +++ 2 files changed, 4 insertions(+) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 9cf160f..070d3ff 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -295,6 +295,7 @@ class BasePathNamespace(object): SSSD_MC_PASSWD = "/var/lib/sss/mc/passwd" SSSD_PUBCONF_KNOWN_HOSTS = "/var/lib/sss/pubconf/known_hosts" SSSD_PUBCONF_KRB5_INCLUDE_D_DIR = "/var/lib/sss/pubconf/krb5.include.d/" +VAR_LOG_AUDIT = "/var/log/audit/audit.log" DIRSRV_LOCK_DIR = "/var/lock/dirsrv" VAR_LOG_DIRSRV_INSTANCE_TEMPLATE = "/var/log/dirsrv/slapd-%s" SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/access" diff --git a/ipatests/pytest_plugins/integration/tasks.py b/ipatests/pytest_plugins/integration/tasks.py index 382028a..1705e25 100644 --- a/ipatests/pytest_plugins/integration/tasks.py +++ b/ipatests/pytest_plugins/integration/tasks.py @@ -84,6 +84,9 @@ def setup_server_logs_collecting(host): # dogtag logs host.collect_log(os.path.join(paths.VAR_LOG_PKI_DIR)) +# selinux logs +host.collect_log(paths.VAR_LOG_AUDIT) + # SSSD debugging must be set after client is installed (function # setup_sssd_debugging) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#688][edited] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
URL: https://github.com/freeipa/freeipa/pull/688 Author: redhatrises Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Action: edited Changed field: body Original value: """ - Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting nsaccountlock=True if `ipa user-find --disabled=False` is entered in the command line and then search for any case where nsaccountlock != True. This handles the case where nsaccountlock may not exist as an attribute or is False. """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#688][synchronized] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
URL: https://github.com/freeipa/freeipa/pull/688
Author: redhatrises
Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user
searches
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/688/head:pr688
git checkout pr688
From a5a1428a57dc4191a3853ef628fc5978f1bdd7e9 Mon Sep 17 00:00:00 2001
From: Gabe
Date: Wed, 5 Apr 2017 06:50:38 -0600
Subject: [PATCH] Update get_attr_filter in LDAPSearch to handle nsaccountlock
user searches
- Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting the default value for
nsaccountlock to false as well as update the filter to check for the default value
---
API.txt | 6 +++---
VERSION.m4| 4 ++--
ipaserver/plugins/baseldap.py | 11 ++-
ipaserver/plugins/user.py | 1 +
4 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/API.txt b/API.txt
index 7850538..fa7582d 100644
--- a/API.txt
+++ b/API.txt
@@ -5923,7 +5923,7 @@ option: Str('manager?')
option: Str('mobile*')
option: Flag('no_members', autofill=True, default=False)
option: Flag('noprivate', autofill=True, cli_name='noprivate', default=False)
-option: Bool('nsaccountlock?', cli_name='disabled')
+option: Bool('nsaccountlock?', cli_name='disabled', default=False)
option: Str('ou?', cli_name='orgunit')
option: Str('pager*')
option: Str('postalcode?')
@@ -6052,7 +6052,7 @@ option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules')
option: Str('not_in_netgroup*', cli_name='not_in_netgroups')
option: Str('not_in_role*', cli_name='not_in_roles')
option: Str('not_in_sudorule*', cli_name='not_in_sudorules')
-option: Bool('nsaccountlock?', autofill=False, cli_name='disabled')
+option: Bool('nsaccountlock?', autofill=False, cli_name='disabled', default=False)
option: Str('ou?', autofill=False, cli_name='orgunit')
option: Str('pager*', autofill=False)
option: Flag('pkey_only?', autofill=True, default=False)
@@ -6109,7 +6109,7 @@ option: Str('mail*', autofill=False, cli_name='email')
option: Str('manager?', autofill=False)
option: Str('mobile*', autofill=False)
option: Flag('no_members', autofill=True, default=False)
-option: Bool('nsaccountlock?', autofill=False, cli_name='disabled')
+option: Bool('nsaccountlock?', autofill=False, cli_name='disabled', default=False)
option: Str('ou?', autofill=False, cli_name='orgunit')
option: Str('pager*', autofill=False)
option: Str('postalcode?', autofill=False)
diff --git a/VERSION.m4 b/VERSION.m4
index 6ec56c5..87dec0e 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412)
# #
define(IPA_API_VERSION_MAJOR, 2)
-define(IPA_API_VERSION_MINOR, 225)
-# Last change: Add --password-expiration option to force password change
+define(IPA_API_VERSION_MINOR, 226)
+# Last change: Set default value for nsaccountlock to False
diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index dbe3cbd..35ad96f 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -1937,7 +1937,16 @@ def get_attr_filter(self, ldap, **options):
"""
search_kw = self.args_options_2_entry(**options)
search_kw['objectclass'] = self.obj.object_class
-return ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
+
+filters = []
+for name, value in search_kw.items():
+default = self.get_default_of(name, **options)
+fltr = ldap.make_filter_from_attr(name, value, ldap.MATCH_ALL)
+if default is not None and value == default:
+fltr = ldap.combine_filters([fltr, '(!({}=*))'.format(name)])
+filters.append(fltr)
+
+return ldap.combine_filters(filters, rules=ldap.MATCH_ALL)
def get_term_filter(self, ldap, term):
"""
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 9eab521..948a198 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -380,6 +380,7 @@ class user(baseuser):
takes_params = baseuser.takes_params + (
Bool('nsaccountlock?',
cli_name=('disabled'),
+default=False,
label=_('Account disabled'),
),
Bool('preserved?',
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][comment] idrange-add: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option flo-renaud commented: """ @martbab thank you for the suggestion. The new test is available in PR #692 """ See the full comment at https://github.com/freeipa/freeipa/pull/667#issuecomment-291843545 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#692][opened] tests: add non-reg for idrange-add
URL: https://github.com/freeipa/freeipa/pull/692
Author: flo-renaud
Title: #692: tests: add non-reg for idrange-add
Action: opened
PR body:
"""
Add non regression test for issue 6404: when idrange-add is called with
empty dom-name, the command returns
ipa: ERROR: an internal error has occurred
https://pagure.io/freeipa/issue/6404
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/692/head:pr692
git checkout pr692
From ae9c23b2dac14eb60a3ecb52258b01385f734ce8 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Wed, 5 Apr 2017 11:44:08 +0200
Subject: [PATCH] tests: add non-reg for idrange-add
Add non regression test for issue 6404: when idrange-add is called with
empty dom-name, the command returns
ipa: ERROR: an internal error has occurred
https://pagure.io/freeipa/issue/6404
---
ipatests/test_xmlrpc/test_range_plugin.py | 49 ++-
1 file changed, 48 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py
index d0f962a..0a8f66b 100644
--- a/ipatests/test_xmlrpc/test_range_plugin.py
+++ b/ipatests/test_xmlrpc/test_range_plugin.py
@@ -113,6 +113,12 @@
testrange8_base_rid = rid_shift + 700
testrange8_secondary_base_rid = rid_shift + 800
+testrange9 = u'testrange9'
+testrange9_base_id = id_shift + 800
+testrange9_size = 50
+testrange9_base_rid = rid_shift + 800
+testrange9_secondary_base_rid = rid_shift + 1800
+
# Domain ranges definitions
# Domain1 - AD domain nonactive (not present in LDAP)
@@ -416,7 +422,8 @@ def teardown_class(cls):
cleanup_commands = [
('idrange_del', [testrange1, testrange2, testrange3, testrange4,
- testrange5, testrange6, testrange7, testrange8],
+ testrange5, testrange6, testrange7, testrange8,
+ testrange9],
{'continue': True}),
('user_del', [user1], {}),
('group_del', [group1], {}),
@@ -872,4 +879,44 @@ def teardown_class(cls):
'range.'),
),
+# Test for bug 6404
+# if dom-name is empty, add should not fail
+
+dict(
+desc='Create ID range %r' % (testrange9),
+command=('idrange_add', [testrange9],
+ dict(ipanttrusteddomainname=None,
+ ipabaseid=testrange9_base_id,
+ ipaidrangesize=testrange9_size,
+ ipabaserid=testrange9_base_rid,
+ ipasecondarybaserid=testrange9_secondary_base_rid)),
+expected=dict(
+result=dict(
+dn=DN(('cn', testrange9), ('cn', 'ranges'), ('cn', 'etc'),
+ api.env.basedn),
+cn=[testrange9],
+objectclass=[u'ipaIDrange', u'ipadomainidrange'],
+ipabaseid=[unicode(testrange9_base_id)],
+ipabaserid=[unicode(testrange9_base_rid)],
+ipasecondarybaserid=[
+unicode(testrange9_secondary_base_rid)],
+ipaidrangesize=[unicode(testrange9_size)],
+iparangetyperaw=[u'ipa-local'],
+iparangetype=[u'local domain range'],
+),
+value=testrange9,
+summary=u'Added ID range "%s"' % (testrange9),
+),
+),
+
+dict(
+desc='Delete ID range %r' % testrange9,
+command=('idrange_del', [testrange9], {}),
+expected=dict(
+result=dict(failed=[]),
+value=[testrange9],
+summary=u'Deleted ID range "%s"' % testrange9,
+),
+),
+
]
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#691][synchronized] Add force-join option to replica install
URL: https://github.com/freeipa/freeipa/pull/691
Author: stlaz
Title: #691: Add force-join option to replica install
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/691/head:pr691
git checkout pr691
From 90e8c0e7a20d3be6aee18928721de540f6c34bbc Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Wed, 5 Apr 2017 09:49:57 +0200
Subject: [PATCH 1/2] Add the force-join option to replica install
When installing client from inside replica installation on DL1,
it's possible that the client installation would fail and recommend
using --force-join option which is not available in replica installer.
Add the option there.
https://pagure.io/freeipa/issue/6183
---
ipaserver/install/server/__init__.py | 2 +-
ipaserver/install/server/replicainstall.py | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 89444f2..028a4aa 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -166,7 +166,6 @@ class ServerInstallInterface(ServerCertificateInstallInterface,
"""
description = "Server"
-force_join = False
kinit_attempts = 1
fixed_primary = True
ntp_servers = None
@@ -526,6 +525,7 @@ class ServerMasterInstall(ServerMasterInstallInterface):
Server master installer
"""
+force_join = False
servers = None
no_wait_for_dns = True
host_password = None
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index f489e69..9fa6960 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -948,6 +948,8 @@ def ensure_enrolled(installer):
args.append("--no-sshd")
if installer.mkhomedir:
args.append("--mkhomedir")
+if installer.force_join:
+args.append("--force-join")
ipautil.run(args, stdin=stdin, nolog=nolog, redirect_output=True)
print()
From 630815740efb8d83de5f9141f111cbbf34e465cd Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Wed, 5 Apr 2017 09:57:44 +0200
Subject: [PATCH 2/2] replicainstall: better client install exception handling
The exception handling of client install inside replica installation
was rather promiscuous, hungrily eating any possible exception thrown
at it. Scoped down the try-except block and reduced its promiscuity.
This change should improve the future development experience debugging
this part of the code.
https://pagure.io/freeipa/issue/6183
---
ipaserver/install/server/replicainstall.py | 83 +++---
1 file changed, 41 insertions(+), 42 deletions(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 9fa6960..88a01be 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -908,52 +908,51 @@ def install_check(installer):
def ensure_enrolled(installer):
-# Call client install script
-service.print_msg("Configuring client side components")
+args = [paths.IPA_CLIENT_INSTALL, "--unattended", "--no-ntp"]
+stdin = None
+nolog = []
+
+if installer.domain_name:
+args.extend(["--domain", installer.domain_name])
+if installer.server:
+args.extend(["--server", installer.server])
+if installer.realm_name:
+args.extend(["--realm", installer.realm_name])
+if installer.host_name:
+args.extend(["--hostname", installer.host_name])
+
+if installer.password:
+args.extend(["--password", installer.password])
+nolog.append(installer.password)
+else:
+if installer.admin_password:
+# Always set principal if password was set explicitly,
+# the password itself gets passed directly via stdin
+args.extend(["--principal", installer.principal or "admin"])
+stdin = installer.admin_password
+if installer.keytab:
+args.extend(["--keytab", installer.keytab])
+
+if installer.no_dns_sshfp:
+args.append("--no-dns-sshfp")
+if installer.ssh_trust_dns:
+args.append("--ssh-trust-dns")
+if installer.no_ssh:
+args.append("--no-ssh")
+if installer.no_sshd:
+args.append("--no-sshd")
+if installer.mkhomedir:
+args.append("--mkhomedir")
+if installer.force_join:
+args.append("--force-join")
+
try:
+# Call client install script
+service.print_msg("Configuring client side components")
installer._enrollment_performed = True
-
-args = [paths.IPA_CLIENT_INSTALL, "--unattended", "--no-ntp"]
-stdin = None
-nolog = []
-
-if installer.domain_name:
-args.extend(["--domain", installer.domain_name])
-if installer.server:
-a
[Freeipa-devel] [freeipa PR#691][synchronized] Add force-join option to replica install
URL: https://github.com/freeipa/freeipa/pull/691
Author: stlaz
Title: #691: Add force-join option to replica install
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/691/head:pr691
git checkout pr691
From 6c160dd41b73287fee07345d673adf6e354c6378 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Wed, 5 Apr 2017 09:49:57 +0200
Subject: [PATCH 1/2] Add the force-join option to replica install
When installing client from inside replica installation on DL1,
it's possible that the client installation would fail and recommend
using --force-join option which is not available in replica installer.
Add the option there.
https://pagure.io/freeipa/issue/6183
---
ipaserver/install/server/__init__.py | 4 +++-
ipaserver/install/server/replicainstall.py | 2 ++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 89444f2..98073f8 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -166,7 +166,6 @@ class ServerInstallInterface(ServerCertificateInstallInterface,
"""
description = "Server"
-force_join = False
kinit_attempts = 1
fixed_primary = True
ntp_servers = None
@@ -526,6 +525,7 @@ class ServerMasterInstall(ServerMasterInstallInterface):
Server master installer
"""
+force_join = False
servers = None
no_wait_for_dns = True
host_password = None
@@ -595,6 +595,8 @@ class ServerReplicaInstall(ServerReplicaInstallInterface):
subject_base = None
ca_subject = None
+force_join = client.ClientInstallInterface.force_join
+
admin_password = extend_knob(
ServerReplicaInstallInterface.admin_password,
description="Kerberos password for the specified admin principal",
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index f489e69..9fa6960 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -948,6 +948,8 @@ def ensure_enrolled(installer):
args.append("--no-sshd")
if installer.mkhomedir:
args.append("--mkhomedir")
+if installer.force_join:
+args.append("--force-join")
ipautil.run(args, stdin=stdin, nolog=nolog, redirect_output=True)
print()
From b1ebac074d4a8a6207d98cef7ab9162c01458b8b Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Wed, 5 Apr 2017 09:57:44 +0200
Subject: [PATCH 2/2] replicainstall: better client install exception handling
The exception handling of client install inside replica installation
was rather promiscuous, hungrily eating any possible exception thrown
at it. Scoped down the try-except block and reduced its promiscuity.
This change should improve the future development experience debugging
this part of the code.
https://pagure.io/freeipa/issue/6183
---
ipaserver/install/server/replicainstall.py | 83 +++---
1 file changed, 41 insertions(+), 42 deletions(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 9fa6960..88a01be 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -908,52 +908,51 @@ def install_check(installer):
def ensure_enrolled(installer):
-# Call client install script
-service.print_msg("Configuring client side components")
+args = [paths.IPA_CLIENT_INSTALL, "--unattended", "--no-ntp"]
+stdin = None
+nolog = []
+
+if installer.domain_name:
+args.extend(["--domain", installer.domain_name])
+if installer.server:
+args.extend(["--server", installer.server])
+if installer.realm_name:
+args.extend(["--realm", installer.realm_name])
+if installer.host_name:
+args.extend(["--hostname", installer.host_name])
+
+if installer.password:
+args.extend(["--password", installer.password])
+nolog.append(installer.password)
+else:
+if installer.admin_password:
+# Always set principal if password was set explicitly,
+# the password itself gets passed directly via stdin
+args.extend(["--principal", installer.principal or "admin"])
+stdin = installer.admin_password
+if installer.keytab:
+args.extend(["--keytab", installer.keytab])
+
+if installer.no_dns_sshfp:
+args.append("--no-dns-sshfp")
+if installer.ssh_trust_dns:
+args.append("--ssh-trust-dns")
+if installer.no_ssh:
+args.append("--no-ssh")
+if installer.no_sshd:
+args.append("--no-sshd")
+if installer.mkhomedir:
+args.append("--mkhomedir")
+if installer.force_join:
+args.append("--force-join")
+
try:
+# Call client install script
+serv
[Freeipa-devel] [freeipa PR#667][comment] idrange-add: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option tomaskrizek commented: """ master: * 70743c8c48db54309a09d510b3a5d8ae86c29e58 idrange-add: properly handle empty --dom-name option ipa-4-5: * 077a61524d79ac5ab6f0eb46450c82ad5594bd2b idrange-add: properly handle empty --dom-name option """ See the full comment at https://github.com/freeipa/freeipa/pull/667#issuecomment-291788105 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][+pushed] idrange-add: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][closed] idrange-add: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Author: flo-renaud Title: #667: idrange-add: properly handle empty --dom-name option Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/667/head:pr667 git checkout pr667 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#691][opened] Add force-join option to replica install
URL: https://github.com/freeipa/freeipa/pull/691
Author: stlaz
Title: #691: Add force-join option to replica install
Action: opened
PR body:
"""
This patchset adds the force-join option to the replica installer. It also
tries to improve the developer's experience by narrowing down the scope of
originally an all-eating try-except block.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/691/head:pr691
git checkout pr691
From 19a17dfad96f23c5245b82b1fb555b7508e631dd Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Wed, 5 Apr 2017 09:49:57 +0200
Subject: [PATCH 1/2] Add the force-join option to replica install
When installing client from inside replica installation on DL1,
it's possible that the client installation would fail and recommend
using --force-join option which is not available in replica installer.
Add the option there.
https://pagure.io/freeipa/issue/6183
---
ipaserver/install/server/__init__.py | 5 -
ipaserver/install/server/replicainstall.py | 2 ++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 89444f2..0a1b553 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -166,7 +166,6 @@ class ServerInstallInterface(ServerCertificateInstallInterface,
"""
description = "Server"
-force_join = False
kinit_attempts = 1
fixed_primary = True
ntp_servers = None
@@ -177,6 +176,9 @@ class ServerInstallInterface(ServerCertificateInstallInterface,
preserve_sssd = False
no_sssd = False
+force_join = client.ClientInstallInterface.force_join
+force_join = replica_install_only(force_join)
+
domain_name = client.ClientInstallInterface.domain_name
domain_name = extend_knob(
domain_name,
@@ -526,6 +528,7 @@ class ServerMasterInstall(ServerMasterInstallInterface):
Server master installer
"""
+force_join = False
servers = None
no_wait_for_dns = True
host_password = None
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index f489e69..9fa6960 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -948,6 +948,8 @@ def ensure_enrolled(installer):
args.append("--no-sshd")
if installer.mkhomedir:
args.append("--mkhomedir")
+if installer.force_join:
+args.append("--force-join")
ipautil.run(args, stdin=stdin, nolog=nolog, redirect_output=True)
print()
From f90f7f131f364f85e087764e9b8dae9dba2a4e0d Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Wed, 5 Apr 2017 09:57:44 +0200
Subject: [PATCH 2/2] replicainstall: better client install exception handling
The exception handling of client install inside replica installation
was rather promiscuous, hungrily eating any possible exception thrown
at it. Scoped down the try-except block and reduced its promiscuity.
This change should improve the future development experience debugging
this part of the code.
https://pagure.io/freeipa/issue/6183
---
ipaserver/install/server/replicainstall.py | 83 +++---
1 file changed, 41 insertions(+), 42 deletions(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 9fa6960..88a01be 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -908,52 +908,51 @@ def install_check(installer):
def ensure_enrolled(installer):
-# Call client install script
-service.print_msg("Configuring client side components")
+args = [paths.IPA_CLIENT_INSTALL, "--unattended", "--no-ntp"]
+stdin = None
+nolog = []
+
+if installer.domain_name:
+args.extend(["--domain", installer.domain_name])
+if installer.server:
+args.extend(["--server", installer.server])
+if installer.realm_name:
+args.extend(["--realm", installer.realm_name])
+if installer.host_name:
+args.extend(["--hostname", installer.host_name])
+
+if installer.password:
+args.extend(["--password", installer.password])
+nolog.append(installer.password)
+else:
+if installer.admin_password:
+# Always set principal if password was set explicitly,
+# the password itself gets passed directly via stdin
+args.extend(["--principal", installer.principal or "admin"])
+stdin = installer.admin_password
+if installer.keytab:
+args.extend(["--keytab", installer.keytab])
+
+if installer.no_dns_sshfp:
+args.append("--no-dns-sshfp")
+if installer.ssh_trust_dns:
+args.append("--ssh-trust-dns")
+if installer.no_ssh:
+args.append("--no-ssh")
+if installer.no_sshd:
+args.ap
[Freeipa-devel] [freeipa PR#687][closed] Add pki_pin only when needed
URL: https://github.com/freeipa/freeipa/pull/687 Author: stlaz Title: #687: Add pki_pin only when needed Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/687/head:pr687 git checkout pr687 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#687][comment] Add pki_pin only when needed
URL: https://github.com/freeipa/freeipa/pull/687 Title: #687: Add pki_pin only when needed tomaskrizek commented: """ Replica installation with CA and KRA seems to work fine now. """ See the full comment at https://github.com/freeipa/freeipa/pull/687#issuecomment-291786444 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#687][+pushed] Add pki_pin only when needed
URL: https://github.com/freeipa/freeipa/pull/687 Title: #687: Add pki_pin only when needed Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#687][comment] Add pki_pin only when needed
URL: https://github.com/freeipa/freeipa/pull/687 Title: #687: Add pki_pin only when needed tomaskrizek commented: """ master: * 1aa77fe389e957a652c530ec0456ee05467754b3 Add pki_pin only when needed ipa-4-5: * f53c76b1055d4f7b26fc127852a66f942845cbae Add pki_pin only when needed """ See the full comment at https://github.com/freeipa/freeipa/pull/687#issuecomment-291787403 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#687][+ack] Add pki_pin only when needed
URL: https://github.com/freeipa/freeipa/pull/687 Title: #687: Add pki_pin only when needed Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#677][synchronized] cert: defer cert-find result post-processing
URL: https://github.com/freeipa/freeipa/pull/677
Author: HonzaCholasta
Title: #677: cert: defer cert-find result post-processing
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/677/head:pr677
git checkout pr677
From 2a3a05a076590b7d668d7c56a52d23529029cc19 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Thu, 30 Mar 2017 08:33:30 +
Subject: [PATCH] cert: defer cert-find result post-processing
Rather than post-processing the results of each internal search,
post-process the combined result.
This avoids expensive per-certificate searches on certificates which won't
even be included in the combined result when cert-find is executed with the
--all option.
https://pagure.io/freeipa/issue/6808
---
ipaserver/plugins/cert.py | 93 +++--
ipaserver/plugins/dogtag.py | 10 +
2 files changed, 66 insertions(+), 37 deletions(-)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 5590913..1a425de 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -250,6 +250,11 @@ def normalize_pkidate(value):
return datetime.datetime.strptime(value, PKIDATE_FORMAT)
+def convert_pkidatetime(value):
+value = datetime.datetime.fromtimestamp(int(value) // 1000)
+return x509.format_datetime(value)
+
+
def validate_csr(ugettext, csr):
"""
Ensure the CSR is base64-encoded and can be decoded by our PKCS#10
@@ -1384,18 +1389,7 @@ def _get_cert_key(self, cert):
return (DN(cert_obj.issuer), cert_obj.serial_number)
-def _get_cert_obj(self, cert, all, raw, pkey_only):
-obj = {'certificate': base64.b64encode(cert).decode('ascii')}
-
-full = not pkey_only and all
-if not raw:
-self.obj._parse(obj, full)
-if not full:
-del obj['certificate']
-
-return obj
-
-def _cert_search(self, all, raw, pkey_only, **options):
+def _cert_search(self, pkey_only, **options):
result = collections.OrderedDict()
try:
@@ -1404,15 +1398,19 @@ def _cert_search(self, all, raw, pkey_only, **options):
return result, False, False
try:
-key = self._get_cert_key(cert)
+issuer, serial_number = self._get_cert_key(cert)
except ValueError:
return result, True, True
-result[key] = self._get_cert_obj(cert, all, raw, pkey_only)
+obj = {'serial_number': serial_number}
+if not pkey_only:
+obj['certificate'] = base64.b64encode(cert).decode('ascii')
+
+result[issuer, serial_number] = obj
return result, False, True
-def _ca_search(self, all, raw, pkey_only, exactly, **options):
+def _ca_search(self, raw, pkey_only, exactly, **options):
ra_options = {}
for name in ('revocation_reason',
'issuer',
@@ -1445,7 +1443,6 @@ def _ca_search(self, all, raw, pkey_only, exactly, **options):
return result, False, complete
ca_objs = self.api.Command.ca_find(
-all=all,
timelimit=0,
sizelimit=0,
)['result']
@@ -1465,24 +1462,16 @@ def _ca_search(self, all, raw, pkey_only, exactly, **options):
obj = {'serial_number': serial_number}
else:
obj = ra_obj
-if all:
-obj.update(ra.get_certificate(str(serial_number)))
if not raw:
obj['issuer'] = issuer
obj['subject'] = DN(ra_obj['subject'])
+obj['valid_not_before'] = (
+convert_pkidatetime(obj['valid_not_before']))
+obj['valid_not_after'] = (
+convert_pkidatetime(obj['valid_not_after']))
obj['revoked'] = (
ra_obj['status'] in (u'REVOKED', u'REVOKED_EXPIRED'))
-if all:
-obj['certificate'] = (
-obj['certificate'].replace('\r\n', ''))
-self.obj._parse(obj)
-
-if 'certificate_chain' in ca_obj:
-cert = x509.load_certificate(obj['certificate'])
-cert_der = cert.public_bytes(serialization.Encoding.DER)
-obj['certificate_chain'] = (
-[cert_der] + ca_obj['certificate_chain'])
obj['cacn'] = ca_obj['cn'][0]
@@ -1490,7 +1479,7 @@ def _ca_search(self, all, raw, pkey_only, exactly, **options):
return result, False, complete
-def _ldap_search(self, all, raw, pkey_only, no_members, **options):
+def _ldap_search(self, all, pkey_only, no_members, **options):
ldap = self.api.Backend.ldap2
filters = []
@@ -1549,26 +1538,25 @@ def _ldap_search(self, all, raw, pkey_only, no_members, **options):
[Freeipa-devel] [freeipa PR#667][comment] idrange-add: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option martbab commented: """ @flo-renaud can you please add a test case for this to `ipatests/test_xmlrpc/test_range_plugin.py` so that we do not regress in the future? """ See the full comment at https://github.com/freeipa/freeipa/pull/667#issuecomment-291779673 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#672][comment] IPA-KDB: use relative path in ipa-certmap config snippet
URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet HonzaCholasta commented: """ master: * 6c2772dde52c84024d32533b29e6cbd04c69924a IPA-KDB: use relative path in ipa-certmap config snippet ipa-4-5: * fa46a01c37021e7b2b57fd3092383100e39792fb IPA-KDB: use relative path in ipa-certmap config snippet """ See the full comment at https://github.com/freeipa/freeipa/pull/672#issuecomment-291778291 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#672][closed] IPA-KDB: use relative path in ipa-certmap config snippet
URL: https://github.com/freeipa/freeipa/pull/672 Author: sumit-bose Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/672/head:pr672 git checkout pr672 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#672][+pushed] IPA-KDB: use relative path in ipa-certmap config snippet
URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#672][+ack] IPA-KDB: use relative path in ipa-certmap config snippet
URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
