[Freeipa-devel] [freeipa PR#590][comment] Validate user input for cert-get-requestdata
URL: https://github.com/freeipa/freeipa/pull/590 Title: #590: Validate user input for cert-get-requestdata Akasurde commented: """ Bump for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/590#issuecomment-295343818 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#718][comment] configure: fix AC_CHECK_LIB usage
URL: https://github.com/freeipa/freeipa/pull/718 Title: #718: configure: fix AC_CHECK_LIB usage HonzaCholasta commented: """ master: * 4322b57e313105611df39e99097993ba4161ab42 configure: fix AC_CHECK_LIB usage ipa-4-5: * 207864a61a748a9032e67bf0f1782379e44fb5aa configure: fix AC_CHECK_LIB usage """ See the full comment at https://github.com/freeipa/freeipa/pull/718#issuecomment-295279306 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#718][+pushed] configure: fix AC_CHECK_LIB usage
URL: https://github.com/freeipa/freeipa/pull/718 Title: #718: configure: fix AC_CHECK_LIB usage Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#718][closed] configure: fix AC_CHECK_LIB usage
URL: https://github.com/freeipa/freeipa/pull/718 Author: HonzaCholasta Title: #718: configure: fix AC_CHECK_LIB usage Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/718/head:pr718 git checkout pr718 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#718][+ack] configure: fix AC_CHECK_LIB usage
URL: https://github.com/freeipa/freeipa/pull/718 Title: #718: configure: fix AC_CHECK_LIB usage Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#718][comment] configure: fix AC_CHECK_LIB usage
URL: https://github.com/freeipa/freeipa/pull/718 Title: #718: configure: fix AC_CHECK_LIB usage stlaz commented: """ This patch seems to have fixed the problem, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/718#issuecomment-295276975 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#721][closed] Fix RA cert import during DL0 replication
URL: https://github.com/freeipa/freeipa/pull/721 Author: stlaz Title: #721: Fix RA cert import during DL0 replication Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/721/head:pr721 git checkout pr721 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#721][comment] Fix RA cert import during DL0 replication
URL: https://github.com/freeipa/freeipa/pull/721 Title: #721: Fix RA cert import during DL0 replication HonzaCholasta commented: """ master: * 6f0a622d83ee22ce712a380d1701cb1f383689e4 Fix RA cert import during DL0 replication ipa-4-5: * 3f70baf2a4811e3eee341aee6da99dfa80c092e6 Fix RA cert import during DL0 replication """ See the full comment at https://github.com/freeipa/freeipa/pull/721#issuecomment-295253863 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#721][+pushed] Fix RA cert import during DL0 replication
URL: https://github.com/freeipa/freeipa/pull/721 Title: #721: Fix RA cert import during DL0 replication Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#721][+ack] Fix RA cert import during DL0 replication
URL: https://github.com/freeipa/freeipa/pull/721 Title: #721: Fix RA cert import during DL0 replication Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#721][synchronized] Fix RA cert import during DL0 replication
URL: https://github.com/freeipa/freeipa/pull/721 Author: stlaz Title: #721: Fix RA cert import during DL0 replication Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/721/head:pr721 git checkout pr721 From 2d567c37257e3557088ae65d8f830cd7a79d69eb Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 19 Apr 2017 11:42:40 +0200 Subject: [PATCH] Fix RA cert import during DL0 replication Previous versions of FreeIPA add password to the ra.p12 file contained in the password-protected tarball. This was forgotten about in the recent changes and fixed now. https://pagure.io/freeipa/issue/6878 --- ipaserver/install/cainstance.py | 43 +++- ipaserver/install/ipa_replica_prepare.py | 17 +++-- 2 files changed, 35 insertions(+), 25 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1c8bb27..a201649 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -338,6 +338,7 @@ def configure_instance(self, host_name, dm_password, admin_password, self.clone = True self.master_host = master_host self.master_replication_port = master_replication_port +self.ra_p12 = ra_p12 self.subject_base = \ subject_base or installutils.default_subject_base(self.realm) @@ -400,7 +401,7 @@ def configure_instance(self, host_name, dm_password, admin_password, self.step("Importing RA key", self.__import_ra_key) else: self.step("importing RA certificate from PKCS #12 file", - lambda: self.import_ra_cert(ra_p12)) + self.__import_ra_cert) if not ra_only: self.step("setting up signing cert profile", self.__setup_sign_profile) @@ -676,28 +677,36 @@ def enable_pkix(self): 'NSS_ENABLE_PKIX_VERIFY', '1', quotes=False, separator='=') -def import_ra_cert(self, rafile): +def __import_ra_cert(self): +""" +Helper method for IPA domain level 0 replica install +""" +self.import_ra_cert(self.ra_p12, self.dm_password) + +def import_ra_cert(self, rafile, password=''): """ Cloned RAs will use the same RA agent cert as the master so we need to import from a PKCS#12 file. Used when setting up replication """ -# get the private key from the file -ipautil.run([paths.OPENSSL, - "pkcs12", - "-in", rafile, - "-nocerts", "-nodes", - "-out", paths.RA_AGENT_KEY, - "-passin", "pass:"]) - -# get the certificate from the pkcs12 file -ipautil.run([paths.OPENSSL, - "pkcs12", - "-in", rafile, - "-clcerts", "-nokeys", - "-out", paths.RA_AGENT_PEM, - "-passin", "pass:"]) +with ipautil.write_tmp_file(password) as f: +pwdarg = 'file:{file}'.format(file=f.name) +# get the private key from the file +ipautil.run([paths.OPENSSL, + "pkcs12", + "-in", rafile, + "-nocerts", "-nodes", + "-out", paths.RA_AGENT_KEY, + "-passin", pwdarg]) + +# get the certificate from the pkcs12 file +ipautil.run([paths.OPENSSL, + "pkcs12", + "-in", rafile, + "-clcerts", "-nokeys", + "-out", paths.RA_AGENT_PEM, + "-passin", pwdarg]) self.__set_ra_cert_perms() self.configure_agent_renewal() diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 95c3818..d4456dd 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -571,14 +571,15 @@ def export_certdb(self, fname, passwd_fname): def export_ra_pkcs12(self): if (os.path.exists(paths.RA_AGENT_PEM) and os.path.exists(paths.RA_AGENT_KEY)): -ipautil.run([ -paths.OPENSSL, -"pkcs12", "-export", -"-inkey", paths.RA_AGENT_KEY, -"-in", paths.RA_AGENT_PEM, -"-out", os.path.join(self.dir, "ra.p12"), -"-passout", "pass:" -]) +with ipautil.write_tmp_file(self.dirman_password) as f: +ipautil.run([ +paths.OPENSSL, +"pkcs12", "-export", +"-inkey", paths.RA_AGENT_KEY, +"-in", paths.RA_AGENT_PEM, +
[Freeipa-devel] [freeipa PR#719][closed] External CA fixes
URL: https://github.com/freeipa/freeipa/pull/719 Author: stlaz Title: #719: External CA fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/719/head:pr719 git checkout pr719 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#719][+ack] External CA fixes
URL: https://github.com/freeipa/freeipa/pull/719 Title: #719: External CA fixes Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#719][comment] External CA fixes
URL: https://github.com/freeipa/freeipa/pull/719 Title: #719: External CA fixes HonzaCholasta commented: """ master: * 25a33ce8b1c77b0d957772143affd7085757bccb server-install: No double Kerberos install * 7b8503173b253860c1059bd40858f2fdffb4ae33 ext. CA: correctly write the cert chain ipa-4-5: * 2144eaf25ef1148c9353dfb2680f8811fd8c21aa server-install: No double Kerberos install * a6af0033a4d0af387eebdd6500eb1e74c5c29ce7 ext. CA: correctly write the cert chain """ See the full comment at https://github.com/freeipa/freeipa/pull/719#issuecomment-295239924 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#719][+pushed] External CA fixes
URL: https://github.com/freeipa/freeipa/pull/719 Title: #719: External CA fixes Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#721][comment] Fix RA cert import during DL0 replication
URL: https://github.com/freeipa/freeipa/pull/721 Title: #721: Fix RA cert import during DL0 replication stlaz commented: """ Silly me 🙄 """ See the full comment at https://github.com/freeipa/freeipa/pull/721#issuecomment-295238665 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#721][comment] Fix RA cert import during DL0 replication
URL: https://github.com/freeipa/freeipa/pull/721 Title: #721: Fix RA cert import during DL0 replication HonzaCholasta commented: """ ... because you need to apply the same fix to `ReplicaPrepare.export_ra_pkcs12` as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/721#issuecomment-295231831 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#721][comment] Fix RA cert import during DL0 replication
URL: https://github.com/freeipa/freeipa/pull/721 Title: #721: Fix RA cert import during DL0 replication HonzaCholasta commented: """ `ipa-replica-install` fails for me: ``` [2/2]: importing RA certificate from PKCS #12 file [error] CalledProcessError: Command '/usr/bin/openssl pkcs12 -in /tmp/tmpPLwmXjipa/realm_info/ra.p12 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin file:/tmp/tmpuzigru' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Command '/usr/bin/openssl pkcs12 -in /tmp/tmpPLwmXjipa/realm_info/ra.p12 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin file:/tmp/tmpuzigru' returned non-zero exit status 1 ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information ``` `ipareplica-install.log` says: ``` 2017-04-19T11:28:53Z DEBUG [2/2]: importing RA certificate from PKCS #12 file 2017-04-19T11:28:53Z DEBUG Starting external process 2017-04-19T11:28:53Z DEBUG args=/usr/bin/openssl pkcs12 -in /tmp/tmpPLwmXjipa/realm_info/ra.p12 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin file:/tmp/tmpuzigru 2017-04-19T11:28:53Z DEBUG Process finished, return code=1 2017-04-19T11:28:53Z DEBUG stdout= 2017-04-19T11:28:53Z DEBUG stderr=Mac verify error: invalid password? ``` 🤷 """ See the full comment at https://github.com/freeipa/freeipa/pull/721#issuecomment-295230168 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#719][synchronized] External CA fixes
URL: https://github.com/freeipa/freeipa/pull/719 Author: stlaz Title: #719: External CA fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/719/head:pr719 git checkout pr719 From 9cb7811d9b3b5c140dbf72edf9e4b00c412c3cf9 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Tue, 18 Apr 2017 17:14:27 +0200 Subject: [PATCH 1/2] server-install: No double Kerberos install When we're installing server with an external CA, the installation would have failed in the second step where it's passed the required CA cert file because it would have tried to perform the Kerberos installation for the second time. https://pagure.io/freeipa/issue/6757 --- ipaserver/install/server/install.py | 11 ++- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index b899b4b..b360e05 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -762,11 +762,12 @@ def install(installer): options.subject_base, options.ca_subject, 1101, 1100, None) krb = krbinstance.KrbInstance(fstore) -krb.create_instance(realm_name, host_name, domain_name, -dm_password, master_password, -setup_pkinit=not options.no_pkinit, -pkcs12_info=pkinit_pkcs12_info, -subject_base=options.subject_base) +if not options.external_cert_files: +krb.create_instance(realm_name, host_name, domain_name, +dm_password, master_password, +setup_pkinit=not options.no_pkinit, +pkcs12_info=pkinit_pkcs12_info, +subject_base=options.subject_base) if setup_ca: if not options.external_cert_files and options.external_ca: From 27a2c13c3748e334aa86169c33f042075294d903 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Tue, 18 Apr 2017 17:17:48 +0200 Subject: [PATCH 2/2] ext. CA: correctly write the cert chain The cert file would have been rewritten all over again with any of the cert in the CA cert chain without this patch. https://pagure.io/freeipa/issue/6872 --- ipaserver/install/cainstance.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1c8bb27..d452757 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -786,9 +786,10 @@ def __export_ca_chain(self): certlist = x509.pkcs7_to_pems(data, x509.DER) # We have all the certificates in certlist, write them to a PEM file -for cert in certlist: -with open(paths.IPA_CA_CRT, 'w') as ipaca_pem: +with open(paths.IPA_CA_CRT, 'w') as ipaca_pem: +for cert in certlist: ipaca_pem.write(cert) +ipaca_pem.write('\n') def __request_ra_certificate(self): # create a temp file storing the pwd -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#677][closed] cert: defer cert-find result post-processing
URL: https://github.com/freeipa/freeipa/pull/677 Author: HonzaCholasta Title: #677: cert: defer cert-find result post-processing Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/677/head:pr677 git checkout pr677 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#677][comment] cert: defer cert-find result post-processing
URL: https://github.com/freeipa/freeipa/pull/677 Title: #677: cert: defer cert-find result post-processing HonzaCholasta commented: """ master: * eb6d4c3037d0cc269a7924745f1cbd8f647e6e1a cert: defer cert-find result post-processing ipa-4-5: * 49f9d799c171c7ae2ac546a33a353c2c40b4719c cert: defer cert-find result post-processing """ See the full comment at https://github.com/freeipa/freeipa/pull/677#issuecomment-295228772 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#677][+pushed] cert: defer cert-find result post-processing
URL: https://github.com/freeipa/freeipa/pull/677 Title: #677: cert: defer cert-find result post-processing Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#677][comment] cert: defer cert-find result post-processing
URL: https://github.com/freeipa/freeipa/pull/677 Title: #677: cert: defer cert-find result post-processing HonzaCholasta commented: """ That might require backporting [issue 6564](https://pagure.io/freeipa/issue/6564) as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/677#issuecomment-295226720 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#677][comment] cert: defer cert-find result post-processing
URL: https://github.com/freeipa/freeipa/pull/677 Title: #677: cert: defer cert-find result post-processing stlaz commented: """ We may need these changes in 4.5 and 4.4, too since `cert-find` is rather broken there, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/677#issuecomment-295212663 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#677][+ack] cert: defer cert-find result post-processing
URL: https://github.com/freeipa/freeipa/pull/677 Title: #677: cert: defer cert-find result post-processing Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes
URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes pvoborni commented: """ IMO this can be put to 4.5.1 (ipa-4-5 branch) but in order to do it, according to FreeIPA devel processes, it needs to be attached (have a ticket link in commit message) to opened issue in 4.5.1 milestone. Otherwise it will go only to master branch (future 4.6). If this fixes 6850, then it can be reopended for it. Otherwise please [open a new issue](https://pagure.io/freeipa/new_issue) with reasoning. """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-295209903 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#721][opened] Fix RA cert import during DL0 replication
URL: https://github.com/freeipa/freeipa/pull/721 Author: stlaz Title: #721: Fix RA cert import during DL0 replication Action: opened PR body: """ Previous versions of FreeIPA add password to the ra.p12 file contained in the password-protected tarball. This was forgotten about in the recent changes and fixed now. https://pagure.io/freeipa/issue/6878 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/721/head:pr721 git checkout pr721 From 1c7109c885457b20d7e1104c1e327537e9965b6f Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 19 Apr 2017 11:42:40 +0200 Subject: [PATCH] Fix RA cert import during DL0 replication Previous versions of FreeIPA add password to the ra.p12 file contained in the password-protected tarball. This was forgotten about in the recent changes and fixed now. https://pagure.io/freeipa/issue/6878 --- ipaserver/install/cainstance.py | 15 +++ 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1c8bb27..faffd2e 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -400,7 +400,8 @@ def configure_instance(self, host_name, dm_password, admin_password, self.step("Importing RA key", self.__import_ra_key) else: self.step("importing RA certificate from PKCS #12 file", - lambda: self.import_ra_cert(ra_p12)) + lambda: self.import_ra_cert(ra_p12, + self.dm_password)) if not ra_only: self.step("setting up signing cert profile", self.__setup_sign_profile) @@ -676,20 +677,26 @@ def enable_pkix(self): 'NSS_ENABLE_PKIX_VERIFY', '1', quotes=False, separator='=') -def import_ra_cert(self, rafile): +def import_ra_cert(self, rafile, password=None): """ Cloned RAs will use the same RA agent cert as the master so we need to import from a PKCS#12 file. Used when setting up replication """ +pwdarg = 'pass:' +if password is not None: +pwdfile_fd, pwdfile_name = tempfile.mkstemp() +os.write(pwdfile_fd, password) +os.close(pwdfile_fd) +pwdarg = 'file:{file}'.format(file=pwdfile_name) # get the private key from the file ipautil.run([paths.OPENSSL, "pkcs12", "-in", rafile, "-nocerts", "-nodes", "-out", paths.RA_AGENT_KEY, - "-passin", "pass:"]) + "-passin", pwdarg]) # get the certificate from the pkcs12 file ipautil.run([paths.OPENSSL, @@ -697,7 +704,7 @@ def import_ra_cert(self, rafile): "-in", rafile, "-clcerts", "-nokeys", "-out", paths.RA_AGENT_PEM, - "-passin", "pass:"]) + "-passin", pwdarg]) self.__set_ra_cert_perms() self.configure_agent_renewal() -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes
URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes abbra commented: """ Well, given that it is not officially supported yet, go ahead. """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-295195255 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes
URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes tiran commented: """ @abbra is there any reason to delay the merge? I like to get the fixes into 4.5 for the upcoming 4.5.1 release. This commit may not be sufficient for full macOS support, but it's definitely required for macOS support. There is no harm to commit it now and fix remaining issues later. """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecomment-295193893 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#702][synchronized] Correct PyPI package dependencies
URL: https://github.com/freeipa/freeipa/pull/702 Author: tiran Title: #702: Correct PyPI package dependencies Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/702/head:pr702 git checkout pr702 From 604ed718f621838bf728633043d9e4b0e58ee5d1 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 10 Apr 2017 10:00:23 +0200 Subject: [PATCH] Correct PyPI package dependencies * Remove unused install requires from ipapython * Add missing requirements to ipaserver * Correct dependencies for yubico otptoken * Add explicit dependency on cffi for csrgen * Python 2 uses python-ldap, Python 3 pyldap https://pagure.io/freeipa/issue/6875 Signed-off-by: Christian Heimes --- ipaclient/setup.py | 5 ++--- ipapython/setup.py | 6 ++ ipaserver/setup.py | 5 - ipasetup.py.in | 16 ipatests/setup.py | 3 ++- tox.ini| 3 +-- 6 files changed, 23 insertions(+), 15 deletions(-) diff --git a/ipaclient/setup.py b/ipaclient/setup.py index ccb5396..0140fd5 100644 --- a/ipaclient/setup.py +++ b/ipaclient/setup.py @@ -50,12 +50,11 @@ ], }, install_requires=[ +"cffi", "cryptography", "ipalib", "ipapython", "jinja2", -"python-yubico", -"pyusb", "qrcode", "six", ], @@ -66,7 +65,7 @@ }, extras_require={ "install": ["ipaplatform"], -"otptoken_yubikey": ["yubico", "usb"] +"otptoken_yubikey": ["python-yubico", "pyusb"], }, zip_safe=False, ) diff --git a/ipapython/setup.py b/ipapython/setup.py index f4bc3f8..4f71530 100755 --- a/ipapython/setup.py +++ b/ipapython/setup.py @@ -41,16 +41,14 @@ "cryptography", "dnspython", "gssapi", -"jwcrypto", # "ipalib", # circular dependency -"pyldap", "netaddr", "netifaces", -"requests", "six", ], extras_require={ -":python_version<'3'": ["enum34"], +":python_version<'3'": ["enum34", "python-ldap"], +":python_version>='3'": ["pyldap"], "install": ["dbus-python"], # for certmonger }, ) diff --git a/ipaserver/setup.py b/ipaserver/setup.py index 097508f..f48cef4 100755 --- a/ipaserver/setup.py +++ b/ipaserver/setup.py @@ -55,10 +55,11 @@ "ipalib", "ipaplatform", "ipapython", +"jwcrypto", "lxml", "netaddr", "pyasn1", -"pyldap", +"requests", "six", ], entry_points={ @@ -70,6 +71,8 @@ ], }, extras_require={ +":python_version<'3'": ["python-ldap"], +":python_version>='3'": ["pyldap"], # These packages are currently not available on PyPI. "dcerpc": ["samba", "pysss", "pysss_nss_idmap"], "hbactest": ["pyhbac"], diff --git a/ipasetup.py.in b/ipasetup.py.in index b0a5051..2ad57e2 100644 --- a/ipasetup.py.in +++ b/ipasetup.py.in @@ -101,6 +101,7 @@ common_args = dict( "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.5", +"Programming Language :: Python :: 3.6", "Programming Language :: Python :: Implementation :: CPython", "Operating System :: POSIX", "Operating System :: POSIX :: Linux", @@ -138,13 +139,20 @@ def ipasetup(name, doc, **kwargs): cmdclass = setup_kwargs.setdefault('cmdclass', {}) cmdclass['build_py'] = build_py -# Env markers like ":python_version<'3.3'" are not supported by +# Env markers like ":python_version<'3'" are not supported by # setuptools < 18.0. if 'extras_require' in setup_kwargs and SETUPTOOLS_VERSION < (18, 0, 0): for k in list(setup_kwargs['extras_require']): -if k.startswith(':'): -req = setup_kwargs.setdefault('install_requires', []) -req.extend(setup_kwargs['extras_require'].pop(k)) +if not k.startswith(':'): +continue +values = setup_kwargs['extras_require'].pop(k) +req = setup_kwargs.setdefault('install_requires', []) +if k == ":python_version<'3'" and sys.version_info.major == 2: +req.extend(values) +elif k == ":python_version>='3'" and sys.version_info.major >= 3: +req.extend(values) +else: +raise ValueError(k, values) os.chdir(local_path) try: diff --git a/ipatests/setup.py b/ipatests/setup.py index 4c02c79..00b9334 100644 --- a/ipatests/setup.py +++ b/ipatests/setup.py @@ -68,12 +68,13 @@ "ipapython",
[Freeipa-devel] [freeipa PR#720][comment] tox: use pylint 1.6.x for now
URL: https://github.com/freeipa/freeipa/pull/720 Title: #720: tox: use pylint 1.6.x for now tiran commented: """ Needs rebase to 4.5 **or** 4.5 must be made compatible with pylint 1.7 before 4.5.1 is released. """ See the full comment at https://github.com/freeipa/freeipa/pull/720#issuecomment-295174341 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#720][opened] tox: use pylint 1.6.x for now
URL: https://github.com/freeipa/freeipa/pull/720 Author: tiran Title: #720: tox: use pylint 1.6.x for now Action: opened PR body: """ FreeIPA is not yet compatible with pylint 1.7.1+. Enforce pylint 1.6.x until all issues have been addressed. Related: https://pagure.io/freeipa/issue/6874 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/720/head:pr720 git checkout pr720 From 29185f722ae376dc578f63a57f82bbe8a122e1b0 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 19 Apr 2017 10:58:11 +0200 Subject: [PATCH] tox: use pylint 1.6.x for now FreeIPA is not yet compatible with pylint 1.7.1+. Enforce pylint 1.6.x until all issues have been addressed. Related: https://pagure.io/freeipa/issue/6874 Signed-off-by: Christian Heimes --- tox.ini | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tox.ini b/tox.ini index db551df..f4d307c 100644 --- a/tox.ini +++ b/tox.ini @@ -24,7 +24,8 @@ basepython=python2.7 deps= ipaclient ipapython[certmonger] -pylint +# see https://pagure.io/freeipa/issue/6874 +pylint < 1.7 commands= {envpython} -m pylint \ --rcfile={toxinidir}/pylintrc \ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#719][synchronized] External CA fixes
URL: https://github.com/freeipa/freeipa/pull/719 Author: stlaz Title: #719: External CA fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/719/head:pr719 git checkout pr719 From 2940a8774fe3283497d13ef287de2e10638e725f Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Tue, 18 Apr 2017 17:14:27 +0200 Subject: [PATCH 1/2] server-install: No double Kerberos install When we're installing server with an external CA, the installation would have failed in the second step where it's passed the required CA cert file because it would have tried to perform the Kerberos installation for the second time. https://pagure.io/freeipa/issue/6757 --- ipaserver/install/server/install.py | 15 +-- 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index b899b4b..7c0eccf 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -761,12 +761,15 @@ def install(installer): realm_name, host_name, domain_name, dm_password, options.subject_base, options.ca_subject, 1101, 1100, None) -krb = krbinstance.KrbInstance(fstore) -krb.create_instance(realm_name, host_name, domain_name, -dm_password, master_password, -setup_pkinit=not options.no_pkinit, -pkcs12_info=pkinit_pkcs12_info, -subject_base=options.subject_base) +if not options.external_cert_files: +krb = krbinstance.KrbInstance(fstore) +krb.create_instance(realm_name, host_name, domain_name, +dm_password, master_password, +setup_pkinit=not options.no_pkinit, +pkcs12_info=pkinit_pkcs12_info, +subject_base=options.subject_base) +else: +krb = krbinstance.KrbInstance(fstore) if setup_ca: if not options.external_cert_files and options.external_ca: From 9d165c77186f7f1f4db0c0cc3b58a6d5f3582384 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Tue, 18 Apr 2017 17:17:48 +0200 Subject: [PATCH 2/2] ext. CA: correctly write the cert chain The cert file would have been rewritten all over again with any of the cert in the CA cert chain without this patch. https://pagure.io/freeipa/issue/6872 --- ipaserver/install/cainstance.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1c8bb27..d452757 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -786,9 +786,10 @@ def __export_ca_chain(self): certlist = x509.pkcs7_to_pems(data, x509.DER) # We have all the certificates in certlist, write them to a PEM file -for cert in certlist: -with open(paths.IPA_CA_CRT, 'w') as ipaca_pem: +with open(paths.IPA_CA_CRT, 'w') as ipaca_pem: +for cert in certlist: ipaca_pem.write(cert) +ipaca_pem.write('\n') def __request_ra_certificate(self): # create a temp file storing the pwd -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code