[Freeipa-devel] [freeipa PR#790][opened] RFC: API for reporting PKINIT status
URL: https://github.com/freeipa/freeipa/pull/790
Author: martbab
Title: #790: RFC: API for reporting PKINIT status
Action: opened
PR body:
"""
This PR implements easily-consumable API that reports PKINIT status on masters
based on the presence of pkinitEnabled value in KDC entry's ipaConfigString
attribute.
https://pagure.io/freeipa/issue/6937
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/790/head:pr790
git checkout pr790
From efc1f9d17c208b5d8b3ff99ed73e165ae7ca05dd Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Thu, 11 May 2017 15:55:53 +0200
Subject: [PATCH 1/4] Allow for multivalued server attributes
In order to achieve the task, the following changes were required:
* vectorize the base class for server attributes
* add a child class that enforces single-value attributes. It still
accepts/returns single-value lists in order to not break Liskov
substitution principle
* Existing attributes inherit from the child class
https://pagure.io/freeipa/issue/6937
---
ipaserver/plugins/serverroles.py| 4 +-
ipaserver/servroles.py | 109 +++-
ipatests/test_ipaserver/test_serverroles.py | 10 +--
3 files changed, 79 insertions(+), 44 deletions(-)
diff --git a/ipaserver/plugins/serverroles.py b/ipaserver/plugins/serverroles.py
index e22eadd..e81635c 100644
--- a/ipaserver/plugins/serverroles.py
+++ b/ipaserver/plugins/serverroles.py
@@ -136,9 +136,7 @@ def config_retrieve(self, servrole):
for name, attr in assoc_attributes.items():
attr_value = attr.get(self.api)
-
-if attr_value is not None:
-result.update({name: attr_value})
+result.update({name: attr_value})
return result
diff --git a/ipaserver/servroles.py b/ipaserver/servroles.py
index cf45999..84fed10 100644
--- a/ipaserver/servroles.py
+++ b/ipaserver/servroles.py
@@ -277,29 +277,33 @@ def get(self, api_instance):
try:
entries = ldap2.get_entries(search_base, filter=search_filter)
except errors.EmptyResult:
-return
+return []
-master_cn = entries[0].dn[1]['cn']
+master_cns = {e.dn[1]['cn'] for e in entries}
associated_role_providers = set(
self._get_assoc_role_providers(api_instance))
-if master_cn not in associated_role_providers:
+if not master_cns.issubset(associated_role_providers):
raise errors.ValidationError(
name=self.name,
error=_("all masters must have %(role)s role enabled" %
{'role': self.associated_role.name})
)
-return master_cn
+return sorted(master_cns)
-def _get_master_dn(self, api_instance, server):
-return DN(('cn', server), api_instance.env.container_masters,
- api_instance.env.basedn)
+def _get_master_dns(self, api_instance, servers):
+return [
+DN(('cn', server), api_instance.env.container_masters,
+ api_instance.env.basedn) for server in servers]
+
+def _get_masters_service_entries(self, ldap, master_dns):
+service_dns = [
+DN(('cn', self.associated_service_name), master_dn) for master_dn
+in master_dns]
-def _get_masters_service_entry(self, ldap, master_dn):
-service_dn = DN(('cn', self.associated_service_name), master_dn)
-return ldap.get_entry(service_dn)
+return [ldap.get_entry(service_dn) for service_dn in service_dns]
def _add_attribute_to_svc_entry(self, ldap, service_entry):
"""
@@ -341,65 +345,98 @@ def _get_assoc_role_providers(self, api_instance):
r[u'server_server'] for r in self.associated_role.status(
api_instance) if r[u'status'] == ENABLED]
-def _remove(self, api_instance, master):
+def _remove(self, api_instance, masters):
"""
-remove attribute from the master
+remove attribute from one or more masters
:param api_instance: API instance
-:param master: master FQDN
+:param master: list or iterable containing master FQDNs
"""
ldap = api_instance.Backend.ldap2
-master_dn = self._get_master_dn(api_instance, master)
-service_entry = self._get_masters_service_entry(ldap, master_dn)
-self._remove_attribute_from_svc_entry(ldap, service_entry)
+master_dns = self._get_master_dns(api_instance, masters)
+service_entries = self._get_masters_service_entries(ldap, master_dns)
+
+for service_entry in service_entries:
+self._remove_attribute_from_svc_entry(ldap, service_entry)
-def _add(self, api_instance, master):
+def _add(self, api_instance, masters):
[Freeipa-devel] [freeipa PR#772][synchronized] Travis CI: explicitly update pip before running the builds
URL: https://github.com/freeipa/freeipa/pull/772 Author: martbab Title: #772: Travis CI: explicitly update pip before running the builds Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/772/head:pr772 git checkout pr772 From ac03074839f3602df8c95be89d52ef4ae8238033 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Tue, 9 May 2017 18:36:51 +0200 Subject: [PATCH] Travis CI: explicitly update pip before running the builds This is to workaround around https://github.com/travis-ci/travis-ci/issues/7733 and issues with implicit requirement of python-requests on newer pip. --- .travis.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.travis.yml b/.travis.yml index 1a8f1b3..c275cdc 100644 --- a/.travis.yml +++ b/.travis.yml @@ -28,6 +28,8 @@ env: test_pkcs10 test_xmlrpc/test_[l-z]*.py" install: +- pip install --upgrade pip +- pip3 install --upgrade pip - pip install pep8 - > pip3 install -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#772][opened] Travis CI: explicitly update pip before running the builds
URL: https://github.com/freeipa/freeipa/pull/772 Author: martbab Title: #772: Travis CI: explicitly update pip before running the builds Action: opened PR body: """ This is to workaround around https://github.com/travis-ci/travis-ci/issues/7733 and issues with implicit requirement of python-requests on newer pip. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/772/head:pr772 git checkout pr772 From 51de0bc52f48b17fad03a19bc3a094ba797a2c4d Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Tue, 9 May 2017 18:36:51 +0200 Subject: [PATCH] Travis CI: explicitly update pip before running the builds This is to workaround around https://github.com/travis-ci/travis-ci/issues/7733 and issues with implicit requirement of python-requests on newer pip. --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 1a8f1b3..5835999 100644 --- a/.travis.yml +++ b/.travis.yml @@ -28,6 +28,7 @@ env: test_pkcs10 test_xmlrpc/test_[l-z]*.py" install: +- pip install --upgrade pip - pip install pep8 - > pip3 install -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA
URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA martbab commented: """ @pvoborni We can try to move the uninstaller logic to the beginning of the install, or make the affected steps idempotent. But still I would be hesitant to merge this PR without some design in place. """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-300098837 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#767][closed] [4.5] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/767 Author: tomaskrizek Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/767/head:pr767 git checkout pr767 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#767][comment] [4.5] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/767 Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy martbab commented: """ ipa-4-5: * cdefa3030fba0f9a79f65f91aec84a44795c17f5 python2-ipalib: add missing python dependency * 1662b0ef2fff6ee002afd99f86b9075a603b6027 installer service: fix typo in service entry * d10d5066aa60288703f2cf4b1a8dd7ed0aab8842 upgrade: add missing suffix to http instance """ See the full comment at https://github.com/freeipa/freeipa/pull/767#issuecomment-300098076 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#767][+pushed] [4.5] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/767 Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#767][+ack] [4.5] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/767 Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA
URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA martbab commented: """ @rcritten If it is expected to not clean up properly after a fai;ed installation then I would rather not advertise it as an uninstaller, otherwise users will start to get ideas like "I do not want to use built-in CA anymore, let's just uninstall it and use 3rd party certs everywhere" and will run into problems with leftover certificates and such. I would rather provide some rollback after failed install but again, I think there should be a more extensive discussion about a generic solution applicable to all service installers. Also I would not claim that we actually do not have a service uninstaller framework since every service installer has a copy-pasted code in an ad-hoc coded uninstall method repeated ad nauseam. From what I have glimpsed from `ipa-4-5` branch, `Service` class does not even provide `uninstall` abstract method to override, only `SimpleServiceInstance` does that. """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-300090846 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#752][comment] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/752 Title: #752: upgrade: add missing DN suffix when enabling KDC proxy martbab commented: """ A separate PR will be needed for ipa-4-5 branch. """ See the full comment at https://github.com/freeipa/freeipa/pull/752#issuecomment-299514588 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA
URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA martbab commented: """ I would avoid having half-effective CA uninstaller given that other components like Samba, DNS(Sec), and now also KRA (given the amount of bugs the uninstaller caused) do not support their uninstallation. Either we have to design some unified framework for proper optional component uninstallation, or we can go in vein of AD trust and DNS installers which are idempotent to a degree. I have an impression that this PR will cause users more problems than it aims to solve. """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-299513197 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#752][comment] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/752 Title: #752: upgrade: add missing DN suffix when enabling KDC proxy martbab commented: """ This makes me wonder why don't we just use `self.api.env.basedn` in the ldap_enable/enable_kdcproxy/enable_pkinit methods but instead rely on 3 ways how to construct the root DN. LGTM as a quick fix, but we need to overhaul this part service installers in the future. """ See the full comment at https://github.com/freeipa/freeipa/pull/752#issuecomment-299511559 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#755][closed] Use proper SELinux context with http.keytab
URL: https://github.com/freeipa/freeipa/pull/755 Author: MartinBasti Title: #755: Use proper SELinux context with http.keytab Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/755/head:pr755 git checkout pr755 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#755][+pushed] Use proper SELinux context with http.keytab
URL: https://github.com/freeipa/freeipa/pull/755 Title: #755: Use proper SELinux context with http.keytab Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#755][comment] Use proper SELinux context with http.keytab
URL: https://github.com/freeipa/freeipa/pull/755 Title: #755: Use proper SELinux context with http.keytab martbab commented: """ master: * 7f4c2fbd975d09c01e6898a4eb70d7dfea1171b4 Use proper SELinux context with http.keytab ipa-4-5: * bda733db9ede3307595963a8c086e1b700c41e25 Use proper SELinux context with http.keytab """ See the full comment at https://github.com/freeipa/freeipa/pull/755#issuecomment-298950728 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#755][+ack] Use proper SELinux context with http.keytab
URL: https://github.com/freeipa/freeipa/pull/755 Title: #755: Use proper SELinux context with http.keytab Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#742][comment] Revert "Store GSSAPI session key in /var/run/ipa"
URL: https://github.com/freeipa/freeipa/pull/742 Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" martbab commented: """ master: * 50f6883662e258b0335c8b3cb69946d6dcbf206c Revert "Store GSSAPI session key in /var/run/ipa" """ See the full comment at https://github.com/freeipa/freeipa/pull/742#issuecomment-297716105 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#742][closed] Revert "Store GSSAPI session key in /var/run/ipa"
URL: https://github.com/freeipa/freeipa/pull/742 Author: martbab Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/742/head:pr742 git checkout pr742 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#742][+pushed] Revert "Store GSSAPI session key in /var/run/ipa"
URL: https://github.com/freeipa/freeipa/pull/742 Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#743][comment] [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa"
URL: https://github.com/freeipa/freeipa/pull/743 Title: #743: [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" martbab commented: """ ipa-4-5: * a4e1ab6c893182b8b3610c0b45120194be4a0376 Revert "Store GSSAPI session key in /var/run/ipa" """ See the full comment at https://github.com/freeipa/freeipa/pull/743#issuecomment-297715320 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#743][+pushed] [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa"
URL: https://github.com/freeipa/freeipa/pull/743 Title: #743: [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#743][closed] [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa"
URL: https://github.com/freeipa/freeipa/pull/743 Author: martbab Title: #743: [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/743/head:pr743 git checkout pr743 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#742][synchronized] Revert "Store GSSAPI session key in /var/run/ipa"
URL: https://github.com/freeipa/freeipa/pull/742 Author: martbab Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/742/head:pr742 git checkout pr742 From 8237625e3c8843e9fc04d159a8e50795fa6fb52f Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Thu, 27 Apr 2017 14:36:01 +0200 Subject: [PATCH] Revert "Store GSSAPI session key in /var/run/ipa" This reverts commit 2bab2d4963daa99742875f3633a99966bc56f5a3. It was pointed out that apache has no access to /var/lib/ipa directory breaking the session handling. https://pagure.io/freeipa/issue/6880 --- install/conf/ipa.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 56c8995..75c122e 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 26 - DO NOT REMOVE THIS LINE +# VERSION 25 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -78,7 +78,7 @@ WSGIScriptReloading Off SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION SessionMaxAge 1800 - GssapiSessionKey file:/var/run/ipa/session.key + GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiImpersonate On GssapiDelegCcacheDir /var/run/ipa/ccaches @@ -127,7 +127,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION SessionMaxAge 1800 - GssapiSessionKey file:/var/run/ipa/session.key + GssapiSessionKey file:/etc/httpd/alias/ipasession.key Header unset Set-Cookie -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#743][synchronized] [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa"
URL: https://github.com/freeipa/freeipa/pull/743 Author: martbab Title: #743: [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/743/head:pr743 git checkout pr743 From 30edc779cecd537934d36d07d83f552322c483f0 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Thu, 27 Apr 2017 14:38:25 +0200 Subject: [PATCH] [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" This reverts commit 2bab2d4. It was pointed out that apache has no access to /var/lib/ipa directory breaking the session handling. https://pagure.io/freeipa/issue/6880 --- install/conf/ipa.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 56c8995..75c122e 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 26 - DO NOT REMOVE THIS LINE +# VERSION 25 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -78,7 +78,7 @@ WSGIScriptReloading Off SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION SessionMaxAge 1800 - GssapiSessionKey file:/var/run/ipa/session.key + GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiImpersonate On GssapiDelegCcacheDir /var/run/ipa/ccaches @@ -127,7 +127,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION SessionMaxAge 1800 - GssapiSessionKey file:/var/run/ipa/session.key + GssapiSessionKey file:/etc/httpd/alias/ipasession.key Header unset Set-Cookie -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#743][opened] [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa"
URL: https://github.com/freeipa/freeipa/pull/743 Author: martbab Title: #743: [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" Action: opened PR body: """ This reverts commit 2bab2d4. It was pointed out that apache has no access to /var/lib/ipa directry breaking the session handling. https://pagure.io/freeipa/issue/6880 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/743/head:pr743 git checkout pr743 From eda0662a1a538a4909ad732788f33eed3c18af70 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Thu, 27 Apr 2017 14:38:25 +0200 Subject: [PATCH] [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" This reverts commit 2bab2d4. It was pointed out that apache has no access to /var/lib/ipa directry breaking the session handling. https://pagure.io/freeipa/issue/6880 --- install/conf/ipa.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 56c8995..75c122e 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 26 - DO NOT REMOVE THIS LINE +# VERSION 25 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -78,7 +78,7 @@ WSGIScriptReloading Off SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION SessionMaxAge 1800 - GssapiSessionKey file:/var/run/ipa/session.key + GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiImpersonate On GssapiDelegCcacheDir /var/run/ipa/ccaches @@ -127,7 +127,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION SessionMaxAge 1800 - GssapiSessionKey file:/var/run/ipa/session.key + GssapiSessionKey file:/etc/httpd/alias/ipasession.key Header unset Set-Cookie -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#742][opened] Revert "Store GSSAPI session key in /var/run/ipa"
URL: https://github.com/freeipa/freeipa/pull/742 Author: martbab Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" Action: opened PR body: """ This reverts commit 2bab2d4963daa99742875f3633a99966bc56f5a3. It was pointed out that apache has no access to /var/lib/ipa directry breaking the session handling. https://pagure.io/freeipa/issue/6880 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/742/head:pr742 git checkout pr742 From 3c0151e87107bc6997c7b3ff0ec416fdeeba8744 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Thu, 27 Apr 2017 14:36:01 +0200 Subject: [PATCH] Revert "Store GSSAPI session key in /var/run/ipa" This reverts commit 2bab2d4963daa99742875f3633a99966bc56f5a3. It was pointed out that apache has no access to /var/lib/ipa directry breaking the session handling. https://pagure.io/freeipa/issue/6880 --- install/conf/ipa.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 56c8995..75c122e 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 26 - DO NOT REMOVE THIS LINE +# VERSION 25 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -78,7 +78,7 @@ WSGIScriptReloading Off SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION SessionMaxAge 1800 - GssapiSessionKey file:/var/run/ipa/session.key + GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiImpersonate On GssapiDelegCcacheDir /var/run/ipa/ccaches @@ -127,7 +127,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION SessionMaxAge 1800 - GssapiSessionKey file:/var/run/ipa/session.key + GssapiSessionKey file:/etc/httpd/alias/ipasession.key Header unset Set-Cookie -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#740][closed] [4.5]Hide PKI Client database password in log file
URL: https://github.com/freeipa/freeipa/pull/740 Author: Akasurde Title: #740: [4.5]Hide PKI Client database password in log file Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/740/head:pr740 git checkout pr740 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#740][comment] [4.5]Hide PKI Client database password in log file
URL: https://github.com/freeipa/freeipa/pull/740 Title: #740: [4.5]Hide PKI Client database password in log file martbab commented: """ ipa-4-5: * 1d911fc2186da1c6566648f94a6819c4e7a2a72b Hide PKI Client database password in log file """ See the full comment at https://github.com/freeipa/freeipa/pull/740#issuecomment-297688104 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#740][+pushed] [4.5]Hide PKI Client database password in log file
URL: https://github.com/freeipa/freeipa/pull/740 Title: #740: [4.5]Hide PKI Client database password in log file Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd martbab commented: """ master: * 2bab2d4963daa99742875f3633a99966bc56f5a3 Store GSSAPI session key in /var/run/ipa ipa-4-5: * b2aa3ed0bc9f5385ab6e8b1720d9f1d33136e5dc Store GSSAPI session key in /var/run/ipa """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-297677527 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][closed] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Author: MartinBasti Title: #723: Store GSSAPI session key in /var/run/httpd Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/723/head:pr723 git checkout pr723 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][+pushed] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ Any volunteer to do a functional review? """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-297677004 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][synchronized] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/694/head:pr694
git checkout pr694
From cb483d51beadb2446392835bf235ca5c6145d8c8 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 25 Apr 2017 18:55:59 +0200
Subject: [PATCH 1/8] separate function to set ipaConfigString values on
service entry
There is some code duplication regarding setting ipaConfigString values
when:
* LDAP-enabling a service entry
* advertising enabled KDCProxy in LDAP
We can delegate the common work to a single re-usable function and thus
expose it to future use-cases (like PKINIT advertising).
https://pagure.io/freeipa/issue/6830
---
ipaserver/install/httpinstance.py | 43 +---
ipaserver/install/service.py | 135 ++
2 files changed, 94 insertions(+), 84 deletions(-)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index aeb5c5e..f0a477e 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -42,7 +42,6 @@
import ipapython.errors
from ipaserver.install import sysupgrade
from ipalib import api
-from ipalib import errors
from ipalib.constants import ANON_USER
from ipaplatform.constants import constants
from ipaplatform.tasks import tasks
@@ -451,46 +450,8 @@ def is_kdcproxy_configured(self):
def enable_kdcproxy(self):
"""Add ipaConfigString=kdcProxyEnabled to cn=KDC"""
-entry_name = DN(('cn', 'KDC'), ('cn', self.fqdn), ('cn', 'masters'),
-('cn', 'ipa'), ('cn', 'etc'), self.suffix)
-attr_name = 'kdcProxyEnabled'
-
-try:
-entry = api.Backend.ldap2.get_entry(
-entry_name, ['ipaConfigString'])
-except errors.NotFound:
-pass
-else:
-if any(attr_name.lower() == val.lower()
- for val in entry.get('ipaConfigString', [])):
-root_logger.debug("service KDCPROXY already enabled")
-return
-
-entry.setdefault('ipaConfigString', []).append(attr_name)
-try:
-api.Backend.ldap2.update_entry(entry)
-except errors.EmptyModlist:
-root_logger.debug("service KDCPROXY already enabled")
-return
-except:
-root_logger.debug("failed to enable service KDCPROXY")
-raise
-
-root_logger.debug("service KDCPROXY enabled")
-return
-
-entry = api.Backend.ldap2.make_entry(
-entry_name,
-objectclass=["nsContainer", "ipaConfigObject"],
-cn=['KDC'],
-ipaconfigstring=[attr_name]
-)
-
-try:
-api.Backend.ldap2.add_entry(entry)
-except errors.DuplicateEntry:
-root_logger.debug("failed to add service KDCPROXY entry")
-raise
+service.set_service_entry_config(
+'KDC', self.fqdn, [u'kdcProxyEnabled'], self.suffix)
def create_kdcproxy_conf(self):
"""Create ipa-kdc-proxy.conf in /etc/ipa/kdcproxy"""
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 9533a88..6b5e69c 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -136,6 +136,87 @@ def find_providing_server(svcname, conn, host_name=None, api=api):
return None
+def case_insensitive_attr_has_value(attr, value):
+"""
+Helper function to find value in an attribute having case-insensitive
+matching rules
+
+:param attr: attribute values
+:param value: value to find
+
+:returns: True if the case-insensitive match succeeds, false otherwise
+
+"""
+if any(value.lower() == val.lower()
+ for val in attr):
+return True
+
+return False
+
+
+def set_service_entry_config(name, fqdn, config_values,
+ ldap_suffix='',
+ post_add_config=()):
+"""
+Sets the 'ipaConfigString' values on the entry. If the entry is not present
+already, create a new one with desired 'ipaConfigString'
+
+:param name: service entry name
+:param config_values: configuration values to store
+:param fqdn: master fqdn
+:param ldap_suffix: LDAP backend suffix
+:param post_add_config: additional configuration to add when adding a
+non-existent entry
+"""
+assert isinstance(ldap_suffix, DN)
+
+entry_name = DN(
+('cn', name), ('cn', fqdn), ('cn', 'masters'),
+('cn', 'i
[Freeipa-devel] [freeipa PR#739][+pushed] [4.5] spec file: bump krb5 Requires for certauth fixes
URL: https://github.com/freeipa/freeipa/pull/739 Title: #739: [4.5] spec file: bump krb5 Requires for certauth fixes Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#731][+pushed] spec file: bump krb5 Requires for certauth fixes
URL: https://github.com/freeipa/freeipa/pull/731 Title: #731: spec file: bump krb5 Requires for certauth fixes Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#739][comment] [4.5] spec file: bump krb5 Requires for certauth fixes
URL: https://github.com/freeipa/freeipa/pull/739 Title: #739: [4.5] spec file: bump krb5 Requires for certauth fixes martbab commented: """ ipa-4-5: * ec3a2a6063beb4ec96796b66abb82476a5c7bd0f spec file: bump krb5 Requires for certauth fixes """ See the full comment at https://github.com/freeipa/freeipa/pull/739#issuecomment-297632489 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#739][closed] [4.5] spec file: bump krb5 Requires for certauth fixes
URL: https://github.com/freeipa/freeipa/pull/739 Author: HonzaCholasta Title: #739: [4.5] spec file: bump krb5 Requires for certauth fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/739/head:pr739 git checkout pr739 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#731][closed] spec file: bump krb5 Requires for certauth fixes
URL: https://github.com/freeipa/freeipa/pull/731 Author: HonzaCholasta Title: #731: spec file: bump krb5 Requires for certauth fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/731/head:pr731 git checkout pr731 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#731][comment] spec file: bump krb5 Requires for certauth fixes
URL: https://github.com/freeipa/freeipa/pull/731 Title: #731: spec file: bump krb5 Requires for certauth fixes martbab commented: """ master: * 0f42670afa935801c25bc66f733a8d1b90ea5a0b spec file: bump krb5 Requires for certauth fixes """ See the full comment at https://github.com/freeipa/freeipa/pull/731#issuecomment-297632322 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#731][comment] spec file: bump krb5 Requires for certauth fixes
URL: https://github.com/freeipa/freeipa/pull/731 Title: #731: spec file: bump krb5 Requires for certauth fixes martbab commented: """ We will need a separate PR for ipa-4-5 branch. """ See the full comment at https://github.com/freeipa/freeipa/pull/731#issuecomment-297455136 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#731][+ack] spec file: bump krb5 Requires for certauth fixes
URL: https://github.com/freeipa/freeipa/pull/731 Title: #731: spec file: bump krb5 Requires for certauth fixes Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][synchronized] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/694/head:pr694
git checkout pr694
From a047c9c02bef7c9991553017917b3747cf2b3115 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 31 Mar 2017 15:06:46 +0200
Subject: [PATCH 1/7] Allow for configuration of all three PKINIT variants when
deploying KDC
The PKINIT setup code now can configure PKINIT using IPA CA signed
certificate, 3rd party certificate and local PKINIT with self-signed
keypair. The local PKINIT is also selected as a fallback mechanism if
the CSR is rejected by CA master or `--no-pkinit` is used.
http://www.freeipa.org/page/V4/Kerberos_PKINIT
https://pagure.io/freeipa/issue/6830
---
ipaserver/install/krbinstance.py | 145 +--
1 file changed, 93 insertions(+), 52 deletions(-)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 6c105f7..8021578 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -38,6 +38,7 @@
from ipalib.install import certmonger
from ipapython.ipa_log_manager import root_logger
from ipapython.dn import DN
+from ipapython.dogtag import KDC_PROFILE
from ipaserver.install import replication
from ipaserver.install import ldapupdate
@@ -354,61 +355,84 @@ def _wait_for_replica_kdc_entry(self):
remote_ldap.gssapi_bind()
replication.wait_for_entry(remote_ldap, kdc_dn, timeout=60)
-def setup_pkinit(self):
-if self.pkcs12_info:
-certs.install_pem_from_p12(self.pkcs12_info[0],
- self.pkcs12_info[1],
- paths.KDC_CERT)
-certs.install_key_from_p12(self.pkcs12_info[0],
- self.pkcs12_info[1],
- paths.KDC_KEY)
-else:
-subject = str(DN(('cn', self.fqdn), self.subject_base))
-krbtgt = "krbtgt/" + self.realm + "@" + self.realm
-certpath = (paths.KDC_CERT, paths.KDC_KEY)
+def _call_certmonger(self, certmonger_ca='IPA'):
+subject = str(DN(('cn', self.fqdn), self.subject_base))
+krbtgt = "krbtgt/" + self.realm + "@" + self.realm
+certpath = (paths.KDC_CERT, paths.KDC_KEY)
-try:
-prev_helper = None
-if self.master_fqdn is None:
-ca_args = [
-paths.CERTMONGER_DOGTAG_SUBMIT,
-'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
-'--certfile', paths.RA_AGENT_PEM,
-'--keyfile', paths.RA_AGENT_KEY,
-'--cafile', paths.IPA_CA_CRT,
-'--agent-submit'
-]
-helper = " ".join(ca_args)
-prev_helper = certmonger.modify_ca_helper('IPA', helper)
-else:
-self._wait_for_replica_kdc_entry()
-
-certmonger.request_and_wait_for_cert(
-certpath,
-subject,
-krbtgt,
-dns=self.fqdn,
-storage='FILE',
-profile='KDCs_PKINIT_Certs')
-except dbus.DBusException as e:
-# if the certificate is already tracked, ignore the error
-name = e.get_dbus_name()
-if name != 'org.fedorahosted.certmonger.duplicate':
-root_logger.error("Failed to initiate the request: %s", e)
-return
-finally:
-if prev_helper is not None:
-certmonger.modify_ca_helper('IPA', prev_helper)
-
-# Finally copy the cacert in the krb directory so we don't
-# have any selinux issues with the file context
+try:
+prev_helper = None
+# on the first CA-ful master without '--no-pkinit', we issue the
+# certificate by contacting Dogtag directly
+use_dogtag_submit = all(
+[self.master_fqdn is None,
+ self.pkcs12_info is None,
+ self.config_pkinit])
+
+if use_dogtag_submit:
+ca_args = [
+paths.CERTMONGER_DOGTAG_SUBMIT,
+'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
+'--certfile', paths.RA_AGENT_PEM,
+'--keyfile', paths.RA_AGENT_KEY,
+'--cafile', paths.IPA_CA_CRT,
+'--agent-submit'
+]
+helper = " ".join(ca_args)
+
[Freeipa-devel] [freeipa PR#694][synchronized] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/694/head:pr694
git checkout pr694
From a047c9c02bef7c9991553017917b3747cf2b3115 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 31 Mar 2017 15:06:46 +0200
Subject: [PATCH 1/7] Allow for configuration of all three PKINIT variants when
deploying KDC
The PKINIT setup code now can configure PKINIT using IPA CA signed
certificate, 3rd party certificate and local PKINIT with self-signed
keypair. The local PKINIT is also selected as a fallback mechanism if
the CSR is rejected by CA master or `--no-pkinit` is used.
http://www.freeipa.org/page/V4/Kerberos_PKINIT
https://pagure.io/freeipa/issue/6830
---
ipaserver/install/krbinstance.py | 145 +--
1 file changed, 93 insertions(+), 52 deletions(-)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 6c105f7..8021578 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -38,6 +38,7 @@
from ipalib.install import certmonger
from ipapython.ipa_log_manager import root_logger
from ipapython.dn import DN
+from ipapython.dogtag import KDC_PROFILE
from ipaserver.install import replication
from ipaserver.install import ldapupdate
@@ -354,61 +355,84 @@ def _wait_for_replica_kdc_entry(self):
remote_ldap.gssapi_bind()
replication.wait_for_entry(remote_ldap, kdc_dn, timeout=60)
-def setup_pkinit(self):
-if self.pkcs12_info:
-certs.install_pem_from_p12(self.pkcs12_info[0],
- self.pkcs12_info[1],
- paths.KDC_CERT)
-certs.install_key_from_p12(self.pkcs12_info[0],
- self.pkcs12_info[1],
- paths.KDC_KEY)
-else:
-subject = str(DN(('cn', self.fqdn), self.subject_base))
-krbtgt = "krbtgt/" + self.realm + "@" + self.realm
-certpath = (paths.KDC_CERT, paths.KDC_KEY)
+def _call_certmonger(self, certmonger_ca='IPA'):
+subject = str(DN(('cn', self.fqdn), self.subject_base))
+krbtgt = "krbtgt/" + self.realm + "@" + self.realm
+certpath = (paths.KDC_CERT, paths.KDC_KEY)
-try:
-prev_helper = None
-if self.master_fqdn is None:
-ca_args = [
-paths.CERTMONGER_DOGTAG_SUBMIT,
-'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
-'--certfile', paths.RA_AGENT_PEM,
-'--keyfile', paths.RA_AGENT_KEY,
-'--cafile', paths.IPA_CA_CRT,
-'--agent-submit'
-]
-helper = " ".join(ca_args)
-prev_helper = certmonger.modify_ca_helper('IPA', helper)
-else:
-self._wait_for_replica_kdc_entry()
-
-certmonger.request_and_wait_for_cert(
-certpath,
-subject,
-krbtgt,
-dns=self.fqdn,
-storage='FILE',
-profile='KDCs_PKINIT_Certs')
-except dbus.DBusException as e:
-# if the certificate is already tracked, ignore the error
-name = e.get_dbus_name()
-if name != 'org.fedorahosted.certmonger.duplicate':
-root_logger.error("Failed to initiate the request: %s", e)
-return
-finally:
-if prev_helper is not None:
-certmonger.modify_ca_helper('IPA', prev_helper)
-
-# Finally copy the cacert in the krb directory so we don't
-# have any selinux issues with the file context
+try:
+prev_helper = None
+# on the first CA-ful master without '--no-pkinit', we issue the
+# certificate by contacting Dogtag directly
+use_dogtag_submit = all(
+[self.master_fqdn is None,
+ self.pkcs12_info is None,
+ self.config_pkinit])
+
+if use_dogtag_submit:
+ca_args = [
+paths.CERTMONGER_DOGTAG_SUBMIT,
+'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
+'--certfile', paths.RA_AGENT_PEM,
+'--keyfile', paths.RA_AGENT_KEY,
+'--cafile', paths.IPA_CA_CRT,
+'--agent-submit'
+]
+helper = " ".join(ca_args)
+
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ @HonzaCholasta Then the best course of action is to remove the PKINIT check and raise the priority of the issue for test case. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-296999874 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ I have rewritten the PKINIT state reporting code as agreed with @abbra and also re-factored the installation/upgrade logic. @HonzaCholasta also requested to remove the local PKINIT check completely and have a test suite for that. On the one hand I tend to agree, on the other I would keep the check there for now until the password authentication test is implemented. Then remove the checks once we have coverage for it. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-296613316 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][synchronized] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/694/head:pr694
git checkout pr694
From f3f48aa15587eccc8046f36d62397fee634f7090 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 31 Mar 2017 15:06:46 +0200
Subject: [PATCH 1/8] Allow for configuration of all three PKINIT variants when
deploying KDC
The PKINIT setup code now can configure PKINIT using IPA CA signed
certificate, 3rd party certificate and local PKINIT with self-signed
keypair. The local PKINIT is also selected as a fallback mechanism if
the CSR is rejected by CA master or `--no-pkinit` is used.
http://www.freeipa.org/page/V4/Kerberos_PKINIT
https://pagure.io/freeipa/issue/6830
---
ipaserver/install/krbinstance.py | 143 +--
1 file changed, 91 insertions(+), 52 deletions(-)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 6c105f7..a86cd16 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -38,6 +38,7 @@
from ipalib.install import certmonger
from ipapython.ipa_log_manager import root_logger
from ipapython.dn import DN
+from ipapython.dogtag import KDC_PROFILE
from ipaserver.install import replication
from ipaserver.install import ldapupdate
@@ -354,61 +355,80 @@ def _wait_for_replica_kdc_entry(self):
remote_ldap.gssapi_bind()
replication.wait_for_entry(remote_ldap, kdc_dn, timeout=60)
-def setup_pkinit(self):
-if self.pkcs12_info:
-certs.install_pem_from_p12(self.pkcs12_info[0],
- self.pkcs12_info[1],
- paths.KDC_CERT)
-certs.install_key_from_p12(self.pkcs12_info[0],
- self.pkcs12_info[1],
- paths.KDC_KEY)
-else:
-subject = str(DN(('cn', self.fqdn), self.subject_base))
-krbtgt = "krbtgt/" + self.realm + "@" + self.realm
-certpath = (paths.KDC_CERT, paths.KDC_KEY)
+def _call_certmonger(self, certmonger_ca='IPA'):
+subject = str(DN(('cn', self.fqdn), self.subject_base))
+krbtgt = "krbtgt/" + self.realm + "@" + self.realm
+certpath = (paths.KDC_CERT, paths.KDC_KEY)
-try:
-prev_helper = None
-if self.master_fqdn is None:
-ca_args = [
-paths.CERTMONGER_DOGTAG_SUBMIT,
-'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
-'--certfile', paths.RA_AGENT_PEM,
-'--keyfile', paths.RA_AGENT_KEY,
-'--cafile', paths.IPA_CA_CRT,
-'--agent-submit'
-]
-helper = " ".join(ca_args)
-prev_helper = certmonger.modify_ca_helper('IPA', helper)
-else:
-self._wait_for_replica_kdc_entry()
-
-certmonger.request_and_wait_for_cert(
-certpath,
-subject,
-krbtgt,
-dns=self.fqdn,
-storage='FILE',
-profile='KDCs_PKINIT_Certs')
-except dbus.DBusException as e:
-# if the certificate is already tracked, ignore the error
-name = e.get_dbus_name()
-if name != 'org.fedorahosted.certmonger.duplicate':
-root_logger.error("Failed to initiate the request: %s", e)
-return
-finally:
-if prev_helper is not None:
-certmonger.modify_ca_helper('IPA', prev_helper)
-
-# Finally copy the cacert in the krb directory so we don't
-# have any selinux issues with the file context
+try:
+prev_helper = None
+# on the first CA-ful master without '--no-pkinit', we issue the
+# certificate by contacting Dogtag directly
+use_dogtag_submit = all(
+[self.master_fqdn is None,
+ self.pkcs12_info is None,
+ self.config_pkinit])
+
+if use_dogtag_submit:
+ca_args = [
+paths.CERTMONGER_DOGTAG_SUBMIT,
+'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
+'--certfile', paths.RA_AGENT_PEM,
+'--keyfile', paths.RA_AGENT_KEY,
+'--cafile', paths.IPA_CA_CRT,
+'--agent-submit'
+]
+helper = " ".join(ca_args)
+
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ We can query that PKINIT was not configured at all by a) checking the presence of KDC keypair, b) checking the sysupgrade (no presence of pkinit flag implies no configuration is present), and c) querying LDAP (no presence of ipaConfigString) so we have multiple redundant ways to determine that PKINIT is not configured at all. As for the removal of pkinit status, I intend to replace the existing command by `ipa pkinit-status` as a follow-up PR once this one is merged. I will then update the design page to reflect this discussion and update the implementation in this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295727092 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ @abbra I received an interactive review from @HonzaCholasta today and he is not very keen on idea of having ternary (absent/local/external/full) PKINIT configuration. He suggests to only have it absent/off (local implementation)/on and thus drop differentiation between PKINIT configured with IPA CA issued or 3rd party certificates. The main concern here is that the 'local' PKINIT configuration is actually an implementation detail we should not leak to clients, they should be only able to tell if it is configured for them or not. If you look into the design page, the two states (full/external) behave the same during replica installation and upgrade so the differentiation does not bring much new information to the users. So a simple on/off switch (something like pkinitStatus: off/on) could be enough and it could simplify the transition and UX. What do you think? """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295692167 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ I have added comments to the "hidden" PKINIT setup steps. I would also like @simo5 and @abbra to answer further comments regarding thid PR. It was on ice for nearly two weeks and we should really have it merged soon. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-294869009 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][synchronized] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/694/head:pr694
git checkout pr694
From a5affec09c68647e496b5becb950778f27b95cc9 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 31 Mar 2017 15:06:46 +0200
Subject: [PATCH 1/8] Allow for configuration of all three PKINIT variants when
deploying KDC
The PKINIT setup code now can configure PKINIT using IPA CA signed
certificate, 3rd party certificate and local PKINIT with self-signed
keypair. The local PKINIT is also selected as a fallback mechanism if
the CSR is rejected by CA master.
http://www.freeipa.org/page/V4/Kerberos_PKINIT
https://pagure.io/freeipa/issue/6830
---
ipaserver/install/krbinstance.py | 133 +--
1 file changed, 87 insertions(+), 46 deletions(-)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 6c105f7..4b79ede 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -38,6 +38,7 @@
from ipalib.install import certmonger
from ipapython.ipa_log_manager import root_logger
from ipapython.dn import DN
+from ipapython.dogtag import KDC_PROFILE
from ipaserver.install import replication
from ipaserver.install import ldapupdate
@@ -354,55 +355,86 @@ def _wait_for_replica_kdc_entry(self):
remote_ldap.gssapi_bind()
replication.wait_for_entry(remote_ldap, kdc_dn, timeout=60)
+def _call_certmonger(self, certmonger_ca='IPA'):
+subject = str(DN(('cn', self.fqdn), self.subject_base))
+krbtgt = "krbtgt/" + self.realm + "@" + self.realm
+certpath = (paths.KDC_CERT, paths.KDC_KEY)
+
+try:
+prev_helper = None
+# on the first CA-ful master without '--no-pkinit', we issue the
+# certificate by contacting Dogtag directly
+use_dogtag_submit = all(
+[self.master_fqdn is None,
+ self.pkcs12_info is None,
+ self.config_pkinit])
+
+if use_dogtag_submit:
+ca_args = [
+paths.CERTMONGER_DOGTAG_SUBMIT,
+'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
+'--certfile', paths.RA_AGENT_PEM,
+'--keyfile', paths.RA_AGENT_KEY,
+'--cafile', paths.IPA_CA_CRT,
+'--agent-submit'
+]
+helper = " ".join(ca_args)
+prev_helper = certmonger.modify_ca_helper(certmonger_ca, helper)
+
+certmonger.request_and_wait_for_cert(
+certpath,
+subject,
+krbtgt,
+ca=certmonger_ca,
+dns=self.fqdn,
+storage='FILE',
+profile=KDC_PROFILE)
+except dbus.DBusException as e:
+# if the certificate is already tracked, ignore the error
+name = e.get_dbus_name()
+if name != 'org.fedorahosted.certmonger.duplicate':
+root_logger.error("Failed to initiate the request: %s", e)
+return
+finally:
+if prev_helper is not None:
+certmonger.modify_ca_helper(certmonger_ca, prev_helper)
+
+def setup_local_pkinit(self):
+self._call_certmonger(certmonger_ca="SelfSign")
+# for self-signed certificate, the certificate is its own CA, copy it
+# as CA cert
+shutil.copyfile(paths.KDC_CERT, paths.CACERT_PEM)
+
+def setup_full_pkinit(self):
+try:
+self._call_certmonger()
+shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)
+except RuntimeError as e:
+root_logger.error("PKINIT certificate request failed: %s", e)
+root_logger.error("Falling back to local PKINIT with self-signed "
+ "certificate")
+self.stop_tracking_certs()
+self.setup_local_pkinit()
+
+def setup_external_pkinit(self):
+certs.install_pem_from_p12(self.pkcs12_info[0],
+ self.pkcs12_info[1],
+ paths.KDC_CERT)
+certs.install_key_from_p12(self.pkcs12_info[0],
+ self.pkcs12_info[1],
+ paths.KDC_KEY)
+shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)
+
def setup_pkinit(self):
+if self.master_fqdn is not None:
+self._wait_for_replica_kdc_entry()
+
if self.pkcs12_info:
-certs.install_pem_from_p12(self.pkcs12_info[0],
-
[Freeipa-devel] [freeipa PR#698][comment] install: request service certs after host keytab is set up
URL: https://github.com/freeipa/freeipa/pull/698 Title: #698: install: request service certs after host keytab is set up martbab commented: """ master: * b189be12ecd1ba9efa35daf41e7e04a9362c6a5e dsinstance: reconnect ldap2 after DS is restarted by certmonger * 8a8558637946d7dac1d85642baaf9ba7c1be98f8 httpinstance: avoid httpd restart during certificate request * ec52332229672f35af8db5aaf1ed2827a8dd5467 dsinstance, httpinstance: consolidate certificate request code * 181cb94e744c380a823b94d0d5ca088ab3dcca1c install: request service certs after host keytab is set up * 3884a671cb59c360fae67884755fa5779053107a renew agent: revert to host keytab authentication * a6a89e24147d8542fd09cf64e04982599b79e3cc renew agent, restart scripts: connect to LDAP after kinit ipa-4-5: * 3a3cd01161b618dd6836fda7df935dd39adc117b dsinstance: reconnect ldap2 after DS is restarted by certmonger * 029da956be22c9e05a53c7c30e3afcb2c851ad86 httpinstance: avoid httpd restart during certificate request * 3317e172227fd72ad9049f7893d3018043201b3c dsinstance, httpinstance: consolidate certificate request code * cb141b0eb3950bcae1950e6190ba3573f348b1f2 install: request service certs after host keytab is set up * 1a7db624857c46a2c1c091ed4b8d7902a4486596 renew agent: revert to host keytab authentication * e9168e80ddb6066114f9438fa6a7a11b0eaa02cf renew agent, restart scripts: connect to LDAP after kinit """ See the full comment at https://github.com/freeipa/freeipa/pull/698#issuecomment-292591048 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#698][+pushed] install: request service certs after host keytab is set up
URL: https://github.com/freeipa/freeipa/pull/698 Title: #698: install: request service certs after host keytab is set up Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#698][closed] install: request service certs after host keytab is set up
URL: https://github.com/freeipa/freeipa/pull/698 Author: HonzaCholasta Title: #698: install: request service certs after host keytab is set up Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/698/head:pr698 git checkout pr698 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#698][+ack] install: request service certs after host keytab is set up
URL: https://github.com/freeipa/freeipa/pull/698 Title: #698: install: request service certs after host keytab is set up Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#700][comment] Use entry_points for ipa CLI
URL: https://github.com/freeipa/freeipa/pull/700 Title: #700: Use entry_points for ipa CLI martbab commented: """ I wish all of our scripts could be autogenerated from entry points. Long road ahead for that effort. However, this is a good start IMHO. """ See the full comment at https://github.com/freeipa/freeipa/pull/700#issuecomment-292552603 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#692][+ack] tests: add non-reg for idrange-add
URL: https://github.com/freeipa/freeipa/pull/692 Title: #692: tests: add non-reg for idrange-add Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#692][closed] tests: add non-reg for idrange-add
URL: https://github.com/freeipa/freeipa/pull/692 Author: flo-renaud Title: #692: tests: add non-reg for idrange-add Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/692/head:pr692 git checkout pr692 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#692][comment] tests: add non-reg for idrange-add
URL: https://github.com/freeipa/freeipa/pull/692 Title: #692: tests: add non-reg for idrange-add martbab commented: """ master: * 342dccea47f6cb14cda63f75789eab51070fb3f6 tests: add non-reg for idrange-add ipa-4-5: * ab2706721db217d55ae549d50a95ace571e65aa6 tests: add non-reg for idrange-add """ See the full comment at https://github.com/freeipa/freeipa/pull/692#issuecomment-292505832 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#692][+pushed] tests: add non-reg for idrange-add
URL: https://github.com/freeipa/freeipa/pull/692 Title: #692: tests: add non-reg for idrange-add Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#697][comment] Create system users for FreeIPA services during package installation
URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation martbab commented: """ Right, we do not have systemd available during Docker image build so some fallback mechanism directly in spec would be great. Otherwise we would have to workaround this in containers and I am not a big fan of that. """ See the full comment at https://github.com/freeipa/freeipa/pull/697#issuecomment-292488467 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ @MartinBasti I can add some removal logic to upgrader if required. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-292477063 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ I have re-worked the PR and implemented most of the missing steps (except for API for querying PKINIT status in topology). I have also removed the PKINIT-specific CA and helper. The installer will now call either `IPA` or self-sign CA depending on configuration and passed-in options. The PKINIT state recording was also changed to depend on the KDC certificate tracking status and CA that tracks it. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-292254190 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][edited] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: edited Changed field: body Original value: """ This PR implements a basic local PKINIT functionality for server install with '--no-pkinit' specified, and replica install against older masters or with '--no-pkinit'. These patches unblock WebUI logins/password auths on masters/replicas in the cases proper PKINIT was not configured for whatever reasons. Nevertheless, there are following things lacking in this PR that I will either push on top of this one or create a new PR: - [x] removal of anonymous keytab, asi it is now useless (and always was) - [x] upgrade and transitions between PKINIT configurations - [ ] reporting PKINIT state in LDAP - [ ] API for querying the PKINIT status on all masters http://www.freeipa.org/page/V4/Kerberos_PKINIT """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][edited] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: edited Changed field: body Original value: """ This PR implements a basic local PKINIT functionality for server install with '--no-pkinit' specified, and replica install against older masters or with '--no-pkinit'. These patches unblock WebUI logins/password auths on masters/replicas in the cases proper PKINIT was not configured for whatever reasons. Nevertheless, there are following things lacking in this PR that I will either push on top of this one or create a new PR: - [x] removal of anonymous keytab, asi it is now useless (and always was) - [ ] upgrade and transitions between PKINIT configurations - [ ] reporting PKINIT state in LDAP - [ ] API for querying the PKINIT status on all masters http://www.freeipa.org/page/V4/Kerberos_PKINIT """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][edited] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: edited Changed field: body Original value: """ This PR implements a basic local PKINIT functionality for server install with '--no-pkinit' specified, and replica install against older masters or with '--no-pkinit'. These patches unblock WebUI logins/password auths on masters/replicas in the cases proper PKINIT was not configured for whatever reasons. Nevertheless, there are following things lacking in this PR that I will either push on top of this one or create a new PR: - [ ] removal of anonymous keytab, asi it is now useless (and always was) - [ ] upgrade and transitions between PKINIT configurations - [ ] reporting PKINIT state in LDAP - [ ] API for querying the PKINIT status on all masters http://www.freeipa.org/page/V4/Kerberos_PKINIT """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][synchronized] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/694/head:pr694
git checkout pr694
From 7dfa337769079d6f4247aa7306abdc0401b38dd6 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 31 Mar 2017 15:06:46 +0200
Subject: [PATCH 1/8] Allow for configuration of all three PKINIT variants when
deploying KDC
The PKINIT setup code now can configure PKINIT using IPA CA signed
certificate, 3rd party certificate and local PKINIT with self-signed
keypair. The local PKINIT is also selected as a fallback mechanism if
the CSR is rejected by CA master.
http://www.freeipa.org/page/V4/Kerberos_PKINIT
https://pagure.io/freeipa/issue/6830
---
ipaserver/install/krbinstance.py | 127 +--
1 file changed, 81 insertions(+), 46 deletions(-)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 6c105f7..c3d56dc 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -38,6 +38,7 @@
from ipalib.install import certmonger
from ipapython.ipa_log_manager import root_logger
from ipapython.dn import DN
+from ipapython.dogtag import KDC_PROFILE
from ipaserver.install import replication
from ipaserver.install import ldapupdate
@@ -354,55 +355,86 @@ def _wait_for_replica_kdc_entry(self):
remote_ldap.gssapi_bind()
replication.wait_for_entry(remote_ldap, kdc_dn, timeout=60)
+def _call_certmonger(self, certmonger_ca='IPA'):
+subject = str(DN(('cn', self.fqdn), self.subject_base))
+krbtgt = "krbtgt/" + self.realm + "@" + self.realm
+certpath = (paths.KDC_CERT, paths.KDC_KEY)
+
+try:
+prev_helper = None
+# on the first CA-ful master without '--no-pkinit', we issue the
+# certificate by contacting Dogtag directly
+use_dogtag_submit = all(
+[self.master_fqdn is None,
+ self.pkcs12_info is None,
+ self.config_pkinit])
+
+if use_dogtag_submit:
+ca_args = [
+paths.CERTMONGER_DOGTAG_SUBMIT,
+'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
+'--certfile', paths.RA_AGENT_PEM,
+'--keyfile', paths.RA_AGENT_KEY,
+'--cafile', paths.IPA_CA_CRT,
+'--agent-submit'
+]
+helper = " ".join(ca_args)
+prev_helper = certmonger.modify_ca_helper(certmonger_ca, helper)
+
+certmonger.request_and_wait_for_cert(
+certpath,
+subject,
+krbtgt,
+ca=certmonger_ca,
+dns=self.fqdn,
+storage='FILE',
+profile=KDC_PROFILE)
+except dbus.DBusException as e:
+# if the certificate is already tracked, ignore the error
+name = e.get_dbus_name()
+if name != 'org.fedorahosted.certmonger.duplicate':
+root_logger.error("Failed to initiate the request: %s", e)
+return
+finally:
+if prev_helper is not None:
+certmonger.modify_ca_helper(certmonger_ca, prev_helper)
+
+def setup_local_pkinit(self):
+self._call_certmonger(certmonger_ca="SelfSign")
+# for self-signed certificate, the certificate is its own CA, copy it
+# as CA cert
+shutil.copyfile(paths.KDC_CERT, paths.CACERT_PEM)
+
+def setup_full_pkinit(self):
+try:
+self._call_certmonger()
+shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)
+except RuntimeError as e:
+root_logger.error("PKINIT certificate request failed: %s", e)
+root_logger.error("Falling back to local PKINIT with self-signed "
+ "certificate")
+self.stop_tracking_certs()
+self.setup_local_pkinit()
+
+def setup_external_pkinit(self):
+certs.install_pem_from_p12(self.pkcs12_info[0],
+ self.pkcs12_info[1],
+ paths.KDC_CERT)
+certs.install_key_from_p12(self.pkcs12_info[0],
+ self.pkcs12_info[1],
+ paths.KDC_KEY)
+shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)
+
def setup_pkinit(self):
+if self.master_fqdn is not None:
+self._wait_for_replica_kdc_entry()
+
if self.pkcs12_info:
-certs.install_pem_from_p12(self.pkcs12_info[0],
-
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ @MartinBasti I haven't thought about CA-less -> CA-full but in this case you would have local PKINIT and should configure full PKINIT manually All the other scenarios should be covered by the incoming code. Regarding your comment on the certmonger helper/special CA, we (me and @HonzaCholasta ) decided to remove it and use a self-sign CA instead. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-292096092 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][opened] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: opened
PR body:
"""
This PR implements a basic local PKINIT functionality for server install with
'--no-pkinit' specified, and replica install against older masters or with
'--no-pkinit'.
These patches unblock WebUI logins/password auths on masters/replicas in the
cases proper PKINIT was not configured for whatever reasons.
Nevertheless, there are following things lacking in this PR that I will either
push on top of this one or create a new PR:
-[ ] removal of anonymous keytab, asi it is now useless (and always was)
-[ ] upgrade and transitions between PKINIT configurations
-[ ] reporting PKINIT state in LDAP
-[ ] API for querying the PKINIT status on all masters
http://www.freeipa.org/page/V4/Kerberos_PKINIT
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/694/head:pr694
git checkout pr694
From a3ad3a37972c81dec251c5ad7b1c9795d7ce4581 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 31 Mar 2017 14:14:11 +0200
Subject: [PATCH 1/8] Use only anonymous PKINIT to fetch armor ccache
Since the anonymous principal can only use PKINIT to fetch credential
cache it makes no sense to try and use its kerberos key to establish
FAST channel.
We should also be able to use custom PKINIT anchor for the armoring.
https://pagure.io/freeipa/issue/6830
---
ipalib/install/kinit.py | 30 +-
1 file changed, 13 insertions(+), 17 deletions(-)
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
index 1e4d1a8..fb6caee 100644
--- a/ipalib/install/kinit.py
+++ b/ipalib/install/kinit.py
@@ -7,7 +7,6 @@
import gssapi
-from ipalib.constants import ANON_USER
from ipaplatform.paths import paths
from ipapython.ipa_log_manager import root_logger
from ipapython.ipautil import run
@@ -97,29 +96,26 @@ def kinit_password(principal, password, ccache_name, config=None,
raise RuntimeError(result.error_output)
-def kinit_armor(ccache_name):
+def kinit_armor(ccache_name, pkinit_anchor=None):
"""
-perform kinit to obtain anonymous ticket to be used as armor for FAST.
+perform anonymous pkinit to obtain anonymous ticket to be used as armor
+for FAST.
+
+:param ccache_name: location of the armor ccache
+:param pkinit_anchor: if not None, the location of PKINIT anchor file to
+use. Otherwise the value from Kerberos client library configuration is
+used
+
+:raises: CalledProcessError if the anonymous PKINIT fails
"""
root_logger.debug("Initializing anonymous ccache")
env = {'LC_ALL': 'C'}
-# try with the keytab first and then again fallback to try with pkinit in
-# case someone decided it is fun to remove Anonymous keys from the entry
-# or in future pkinit enabled principal enforce the use of pkinit
-try:
-# Gssapi does not understand anonymous cred use kinit command instead
-args = [paths.KINIT, '-k', '-t', paths.ANON_KEYTAB,
-ANON_USER, '-c', ccache_name]
-run(args, env=env, raiseonerr=True, capture_error=True)
-return
-except Exception as e:
-root_logger.debug("Failed to init Anonymous keytab: %s", e,
- exc_info=True)
-
-root_logger.debug("Fallback to slower Anonymous PKINIT")
args = [paths.KINIT, '-n', '-c', ccache_name]
+if pkinit_anchor is not None:
+args.extend(['-X', 'X509_anchors=FILE:{}'.format(pkinit_anchor)])
+
# this workaround enables us to capture stderr and put it
# into the raised exception in case of unsuccessful authentication
run(args, env=env, raiseonerr=True, capture_error=True)
From 4946b1f34dcc50cd46979ed249f308791a5cc397 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 31 Mar 2017 14:44:29 +0200
Subject: [PATCH 2/8] krbinstance: add the ability to record and retrieve
PKINIT status
An API was added to record the configured PKINIT status in the state
file during KDC configuration. The PKINIT feature can have the following
states:
* full PKINIT: PKINIT certificate was issued by IPA CA and all
clients with IPA CA configured as PKINIT trust anchor will be able
to perform PKINIT and request anonymous TGT from this KDC
* external PKINIT: the PKINIT certificate was provided by a 3rd party
in a PKCS#12 bundle and all clients that have its root CA as anchor
can request TGTs by PKINIT
* local PKINIT: PKINIT certificate was self-signed by KDC's private
key. This is a fallback mechanism usable only locally on the master
hosting the KDC. Its intended use is to provide FAST armoring for
password authenticated requests (e.g. WebUI logins)
[Freeipa-devel] [freeipa PR#694][edited] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: edited Changed field: body Original value: """ This PR implements a basic local PKINIT functionality for server install with '--no-pkinit' specified, and replica install against older masters or with '--no-pkinit'. These patches unblock WebUI logins/password auths on masters/replicas in the cases proper PKINIT was not configured for whatever reasons. Nevertheless, there are following things lacking in this PR that I will either push on top of this one or create a new PR: -[ ] removal of anonymous keytab, asi it is now useless (and always was) -[ ] upgrade and transitions between PKINIT configurations -[ ] reporting PKINIT state in LDAP -[ ] API for querying the PKINIT status on all masters http://www.freeipa.org/page/V4/Kerberos_PKINIT """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][comment] idrange-add: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option martbab commented: """ @flo-renaud can you please add a test case for this to `ipatests/test_xmlrpc/test_range_plugin.py` so that we do not regress in the future? """ See the full comment at https://github.com/freeipa/freeipa/pull/667#issuecomment-291779673 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#681][comment] Fix ipadiscovery
URL: https://github.com/freeipa/freeipa/pull/681 Title: #681: Fix ipadiscovery martbab commented: """ Hi Alex, a few comments: 1.) please see PEP8 guide for correct Python formatting https://www.python.org/dev/peps/pep-0008/ namely, do not use tabs but 4 spaces for indentation. 2.) I do not see much value in sorting TXT records. We are searching for _kerberos TXT record which should occur only once in DNS domain. 3.) please use a more concise sorting mechanism mentioned by @tiran, your way is very unpythonic and inefficient (list insertions). """ See the full comment at https://github.com/freeipa/freeipa/pull/681#issuecomment-291064621 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#666][synchronized] Fix anonymous principal handling in replica install
URL: https://github.com/freeipa/freeipa/pull/666
Author: martbab
Title: #666: Fix anonymous principal handling in replica install
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/666/head:pr666
git checkout pr666
From ec8727e7bdd367005def508195e56809b4135f14 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 22 Mar 2017 16:41:59 +0100
Subject: [PATCH 1/2] Always check and create anonymous principal during KDC
install
The anonymous principal will now be checked for presence and created on
both server and replica install. This fixes errors caused during replica
installation against older master that do not have anonymous principal
present.
https://pagure.io/freeipa/issue/6799
---
ipaserver/install/krbinstance.py | 17 +
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 5f4b528..6c105f7 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -33,7 +33,7 @@
from ipapython import ipaldap
from ipapython import ipautil
from ipapython import kernel_keyring
-from ipalib import api
+from ipalib import api, errors
from ipalib.constants import ANON_USER
from ipalib.install import certmonger
from ipapython.ipa_log_manager import root_logger
@@ -142,6 +142,7 @@ def __common_setup(self, realm_name, host_name, domain_name, admin_password):
pass
def __common_post_setup(self):
+self.step("creating anonymous principal", self.add_anonymous_principal)
self.step("starting the KDC", self.__start_instance)
self.step("configuring KDC to start on boot", self.__enable)
@@ -160,7 +161,6 @@ def create_instance(self, realm_name, host_name, domain_name, admin_password, ma
self.step("creating a keytab for the directory", self.__create_ds_keytab)
self.step("creating a keytab for the machine", self.__create_host_keytab)
self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
-self.step("creating anonymous principal", self.add_anonymous_principal)
self.__common_post_setup()
@@ -432,8 +432,17 @@ def get_anonymous_principal_name(self):
def add_anonymous_principal(self):
# Create the special anonymous principal
princ_realm = self.get_anonymous_principal_name()
-installutils.kadmin_addprinc(princ_realm)
-self._ldap_mod("anon-princ-aci.ldif", self.sub_dict)
+dn = DN(('krbprincipalname', princ_realm), self.get_realm_suffix())
+try:
+self.api.Backend.ldap2.get_entry(dn)
+except errors.NotFound:
+installutils.kadmin_addprinc(princ_realm)
+self._ldap_mod("anon-princ-aci.ldif", self.sub_dict)
+
+try:
+self.api.Backend.ldap2.set_entry_active(dn, True)
+except errors.AlreadyActive:
+pass
def __convert_to_gssapi_replication(self):
repl = replication.ReplicationManager(self.realm,
From 26bb2d6bbd681d2ec0fbd78645334351aa55a7e7 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 22 Mar 2017 16:52:14 +0100
Subject: [PATCH 2/2] Remove duplicate functionality in upgrade
Since krbinstance code can now handle all operations of the
`enabled_anonymous_principal` function from upgrade we can remove
extraneous function altogether.
https://pagure.io/freeipa/issue/6799
---
ipaserver/install/server/upgrade.py | 16 +---
1 file changed, 1 insertion(+), 15 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 0db764c..25b8629 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1482,20 +1482,6 @@ def add_default_caacl(ca):
sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True)
-def enable_anonymous_principal(krb):
-princ_realm = krb.get_anonymous_principal_name()
-dn = DN(('krbprincipalname', princ_realm), krb.get_realm_suffix())
-try:
-_ = api.Backend.ldap2.get_entry(dn) # pylint: disable=unused-variable
-except ipalib.errors.NotFound:
-krb.add_anonymous_principal()
-
-try:
-api.Backend.ldap2.set_entry_active(dn, True)
-except ipalib.errors.AlreadyActive:
-pass
-
-
def setup_pkinit(krb):
root_logger.info("[Setup PKINIT]")
@@ -1809,7 +1795,7 @@ def upgrade_configuration():
KDC_CERT=paths.KDC_CERT,
KDC_KEY=paths.KDC_KEY,
CACERT_PEM=paths.CACERT_PEM)
-enable_anonymous_principal(krb)
+krb.add_anonymous_principal()
http.request_anon_keytab()
setup_pkinit(krb)
--
Manage your subscription for the Freeipa-devel m
[Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 martbab commented: """ @MartinBasti WebUI not working in DL0/--no-pkinit is beyond the scope of this PR. I am working on fixing that in a separate PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-290052050 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#666][opened] Fix anonymous principal handling in replica install
URL: https://github.com/freeipa/freeipa/pull/666
Author: martbab
Title: #666: Fix anonymous principal handling in replica install
Action: opened
PR body:
"""
This PR should unblock replica install against <4.5 masters if `--no-pkinit`
option is given. Be aware of the non-working WebUI after install, this will be
fixed once local PKINIT will be implemented.
Requires https://github.com/freeipa/freeipa/pull/631
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/666/head:pr666
git checkout pr666
From 11ab779e1f5ed4bc0d97ce812636e2c51f044b26 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 21 Mar 2017 17:03:35 +0100
Subject: [PATCH 1/6] Upgrade: configure PKINIT after adding anonymous
principal
In order to set up PKINIT, the anonymous principal must already be
created, otherwise the upgrade with fail when trying out anonymous
PKINIT. Switch the order of steps so that this issue does not occur.
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/server/upgrade.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 1706079..be07d78 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1809,9 +1809,9 @@ def upgrade_configuration():
KDC_CERT=paths.KDC_CERT,
KDC_KEY=paths.KDC_KEY,
CACERT_PEM=paths.CACERT_PEM)
-setup_pkinit(krb)
enable_anonymous_principal(krb)
http.request_anon_keytab()
+setup_pkinit(krb)
if not ds_running:
ds.stop(ds_serverid)
From 25247306f44fd01eb737bedfdeec925f506dec6b Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 22 Mar 2017 10:01:34 +0100
Subject: [PATCH 2/6] Remove unused variable from failed anonymous PKINIT
handling
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/krbinstance.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index d936cc5..c817076 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -413,7 +413,7 @@ def setup_pkinit(self):
with ipautil.private_ccache() as anon_ccache:
try:
ipautil.run([paths.KINIT, '-n', '-c', anon_ccache])
-except ipautil.CalledProcessError as e:
+except ipautil.CalledProcessError:
raise RuntimeError("Failed to configure anonymous PKINIT")
def enable_ssl(self):
From 2adbb7d5bcb14759625e9805e2ebcb36b2586362 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 22 Mar 2017 10:04:52 +0100
Subject: [PATCH 3/6] Split out anonymous PKINIT test to a separate method
This allows for more flexibility in the whole PKINIT setup process.
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/krbinstance.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index c817076..5f4b528 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -410,6 +410,7 @@ def setup_pkinit(self):
root_logger.critical("krb5kdc service failed to restart")
raise
+def test_anonymous_pkinit(self):
with ipautil.private_ccache() as anon_ccache:
try:
ipautil.run([paths.KINIT, '-n', '-c', anon_ccache])
@@ -421,6 +422,7 @@ def enable_ssl(self):
self.steps = []
self.step("installing X509 Certificate for PKINIT",
self.setup_pkinit)
+self.step("testing anonymous PKINIT", self.test_anonymous_pkinit)
self.start_creation()
From a2ecdb818ef9e3f8dc2bb97688c894c99ca9 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 22 Mar 2017 11:56:18 +0100
Subject: [PATCH 4/6] Ensure KDC is propery configured after upgrade
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/server/upgrade.py | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index be07d78..0db764c 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1499,15 +1499,14 @@ def enable_anonymous_principal(krb):
def setup_pkinit(krb):
root_logger.info("[Setup PKINIT]")
-if os.path.exists(paths.KDC_CERT):
-root_logger.info("PKINIT already set up")
-return
-
if not api.Command.ca_is_enabled()['result']:
root_logger.info("CA is not enabled")
return
-krb.setup_pkinit()
+if not os.path.exists(pa
[Freeipa-devel] [freeipa PR#631][synchronized] Upgrade: configure PKINIT after adding anonymous principal
URL: https://github.com/freeipa/freeipa/pull/631
Author: martbab
Title: #631: Upgrade: configure PKINIT after adding anonymous principal
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/631/head:pr631
git checkout pr631
From 11ab779e1f5ed4bc0d97ce812636e2c51f044b26 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 21 Mar 2017 17:03:35 +0100
Subject: [PATCH 1/4] Upgrade: configure PKINIT after adding anonymous
principal
In order to set up PKINIT, the anonymous principal must already be
created, otherwise the upgrade with fail when trying out anonymous
PKINIT. Switch the order of steps so that this issue does not occur.
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/server/upgrade.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 1706079..be07d78 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1809,9 +1809,9 @@ def upgrade_configuration():
KDC_CERT=paths.KDC_CERT,
KDC_KEY=paths.KDC_KEY,
CACERT_PEM=paths.CACERT_PEM)
-setup_pkinit(krb)
enable_anonymous_principal(krb)
http.request_anon_keytab()
+setup_pkinit(krb)
if not ds_running:
ds.stop(ds_serverid)
From 25247306f44fd01eb737bedfdeec925f506dec6b Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 22 Mar 2017 10:01:34 +0100
Subject: [PATCH 2/4] Remove unused variable from failed anonymous PKINIT
handling
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/krbinstance.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index d936cc5..c817076 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -413,7 +413,7 @@ def setup_pkinit(self):
with ipautil.private_ccache() as anon_ccache:
try:
ipautil.run([paths.KINIT, '-n', '-c', anon_ccache])
-except ipautil.CalledProcessError as e:
+except ipautil.CalledProcessError:
raise RuntimeError("Failed to configure anonymous PKINIT")
def enable_ssl(self):
From 2adbb7d5bcb14759625e9805e2ebcb36b2586362 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 22 Mar 2017 10:04:52 +0100
Subject: [PATCH 3/4] Split out anonymous PKINIT test to a separate method
This allows for more flexibility in the whole PKINIT setup process.
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/krbinstance.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index c817076..5f4b528 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -410,6 +410,7 @@ def setup_pkinit(self):
root_logger.critical("krb5kdc service failed to restart")
raise
+def test_anonymous_pkinit(self):
with ipautil.private_ccache() as anon_ccache:
try:
ipautil.run([paths.KINIT, '-n', '-c', anon_ccache])
@@ -421,6 +422,7 @@ def enable_ssl(self):
self.steps = []
self.step("installing X509 Certificate for PKINIT",
self.setup_pkinit)
+self.step("testing anonymous PKINIT", self.test_anonymous_pkinit)
self.start_creation()
From a2ecdb818ef9e3f8dc2bb97688c894c99ca9 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 22 Mar 2017 11:56:18 +0100
Subject: [PATCH 4/4] Ensure KDC is propery configured after upgrade
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/server/upgrade.py | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index be07d78..0db764c 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1499,15 +1499,14 @@ def enable_anonymous_principal(krb):
def setup_pkinit(krb):
root_logger.info("[Setup PKINIT]")
-if os.path.exists(paths.KDC_CERT):
-root_logger.info("PKINIT already set up")
-return
-
if not api.Command.ca_is_enabled()['result']:
root_logger.info("CA is not enabled")
return
-krb.setup_pkinit()
+if not os.path.exists(paths.KDC_CERT):
+root_logger.info("Requesting PKINIT certificate")
+krb.setup_pkinit()
+
replacevars = dict()
replacevars['pkinit_identity'] = 'FILE:{},{}'.format(
paths.KDC_CERT,paths.KDC_KEY)
@@ -1519,6 +1518,7 @@ def setup_pkinit(krb):
[Freeipa-devel] [freeipa PR#631][comment] Upgrade: configure PKINIT after adding anonymous principal
URL: https://github.com/freeipa/freeipa/pull/631 Title: #631: Upgrade: configure PKINIT after adding anonymous principal martbab commented: """ I have prepared a more thorough fix which should cover more edge cases. """ See the full comment at https://github.com/freeipa/freeipa/pull/631#issuecomment-289378096 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#631][synchronized] Upgrade: configure PKINIT after adding anonymous principal
URL: https://github.com/freeipa/freeipa/pull/631
Author: martbab
Title: #631: Upgrade: configure PKINIT after adding anonymous principal
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/631/head:pr631
git checkout pr631
From 280d2949e6fcde67354aaf0ecd7b2eacf4b0b097 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 21 Mar 2017 17:03:35 +0100
Subject: [PATCH 1/4] Upgrade: configure PKINIT after adding anonymous
principal
In order to set up PKINIT, the anonymous principal must already be
created, otherwise the upgrade with fail when trying out anonymous
PKINIT. Switch the order of steps so that this issue does not occur.
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/server/upgrade.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 1706079..be07d78 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1809,9 +1809,9 @@ def upgrade_configuration():
KDC_CERT=paths.KDC_CERT,
KDC_KEY=paths.KDC_KEY,
CACERT_PEM=paths.CACERT_PEM)
-setup_pkinit(krb)
enable_anonymous_principal(krb)
http.request_anon_keytab()
+setup_pkinit(krb)
if not ds_running:
ds.stop(ds_serverid)
From 9719d674bb7ab79a2019d82aebc750a80ba7f635 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 22 Mar 2017 10:01:34 +0100
Subject: [PATCH 2/4] Remove unused variable from failed anonymous PKINIT
handling
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/krbinstance.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index d936cc5..c817076 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -413,7 +413,7 @@ def setup_pkinit(self):
with ipautil.private_ccache() as anon_ccache:
try:
ipautil.run([paths.KINIT, '-n', '-c', anon_ccache])
-except ipautil.CalledProcessError as e:
+except ipautil.CalledProcessError:
raise RuntimeError("Failed to configure anonymous PKINIT")
def enable_ssl(self):
From 3a241ab63883cec399b4d57f65628901aeff4523 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 22 Mar 2017 10:04:52 +0100
Subject: [PATCH 3/4] Split out anonymous PKINIT test to a spearate method
This allows for more flexibility in the whole PKINIT setup process.
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/krbinstance.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index c817076..5f4b528 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -410,6 +410,7 @@ def setup_pkinit(self):
root_logger.critical("krb5kdc service failed to restart")
raise
+def test_anonymous_pkinit(self):
with ipautil.private_ccache() as anon_ccache:
try:
ipautil.run([paths.KINIT, '-n', '-c', anon_ccache])
@@ -421,6 +422,7 @@ def enable_ssl(self):
self.steps = []
self.step("installing X509 Certificate for PKINIT",
self.setup_pkinit)
+self.step("testing anonymous PKINIT", self.test_anonymous_pkinit)
self.start_creation()
From e12c9eb32900a086d26411b8a243bfca83048eca Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 22 Mar 2017 11:56:18 +0100
Subject: [PATCH 4/4] Ensure KDC is propery configured after upgrade
https://pagure.io/freeipa/issue/6792
---
ipaserver/install/server/upgrade.py | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index be07d78..0db764c 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1499,15 +1499,14 @@ def enable_anonymous_principal(krb):
def setup_pkinit(krb):
root_logger.info("[Setup PKINIT]")
-if os.path.exists(paths.KDC_CERT):
-root_logger.info("PKINIT already set up")
-return
-
if not api.Command.ca_is_enabled()['result']:
root_logger.info("CA is not enabled")
return
-krb.setup_pkinit()
+if not os.path.exists(paths.KDC_CERT):
+root_logger.info("Requesting PKINIT certificate")
+krb.setup_pkinit()
+
replacevars = dict()
replacevars['pkinit_identity'] = 'FILE:{},{}'.format(
paths.KDC_CERT,paths.KDC_KEY)
@@ -1519,6 +1518,7 @@ def setup_pkinit(krb):
[Freeipa-devel] [freeipa PR#634][closed] cert: do not limit internal searches in cert-find
URL: https://github.com/freeipa/freeipa/pull/634 Author: HonzaCholasta Title: #634: cert: do not limit internal searches in cert-find Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/634/head:pr634 git checkout pr634 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#634][+pushed] cert: do not limit internal searches in cert-find
URL: https://github.com/freeipa/freeipa/pull/634 Title: #634: cert: do not limit internal searches in cert-find Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#634][comment] cert: do not limit internal searches in cert-find
URL: https://github.com/freeipa/freeipa/pull/634 Title: #634: cert: do not limit internal searches in cert-find martbab commented: """ master: * 6de507c2cad255975665eca6dd6ef7c8f2458d51 cert: do not limit internal searches in cert-find ipa-4-5: * 6382f9eee335907362a5ccb44b892f59de7d3751 cert: do not limit internal searches in cert-find """ See the full comment at https://github.com/freeipa/freeipa/pull/634#issuecomment-289370236 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#639][+pushed] WebUI: Login for AD Users
URL: https://github.com/freeipa/freeipa/pull/639 Title: #639: WebUI: Login for AD Users Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#639][comment] WebUI: Login for AD Users
URL: https://github.com/freeipa/freeipa/pull/639 Title: #639: WebUI: Login for AD Users martbab commented: """ master: * 1dcdcd12f4336c98e7507fe0e7f0c0da2bc69eba WebUI: check principals in lowercase * 2992e3c5d480567cfdc71b38365d5d74f009b4d2 WebUI: add method for disabling item in user dropdown menu * ceedc3f7ecb1300ed5bfaf5db8ef1b1450c6288e WebUI: Add support for login for AD users ipa-4-5: * bee9c9f090e7808a2381054fa63c1d036743296c WebUI: check principals in lowercase * 01a0a38bdf53821bc420f01dc98fae577f83eabb WebUI: add method for disabling item in user dropdown menu * 228e039e7d718ced7dce7c32cca3a89404c0a16e WebUI: Add support for login for AD users """ See the full comment at https://github.com/freeipa/freeipa/pull/639#issuecomment-289369118 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#639][closed] WebUI: Login for AD Users
URL: https://github.com/freeipa/freeipa/pull/639 Author: pvomacka Title: #639: WebUI: Login for AD Users Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/639/head:pr639 git checkout pr639 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 martbab commented: """ @abbra I believe these changes are in line with our recent discussion regarding pkinit availability on DL0. Do you agree? """ See the full comment at https://github.com/freeipa/freeipa/pull/640#issuecomment-289033452 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#637][comment] ldap2: use LDAP whoami operation to retrieve bind DN for current connection
URL: https://github.com/freeipa/freeipa/pull/637 Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection martbab commented: """ ipa-4-5: * 7d48fb841a23e9f036f3d449d80623d1225c820a ldap2: use LDAP whoami operation to retrieve bind DN for current connection master: * 7324451834ec03786fda947679f750fe2a72f29c ldap2: use LDAP whoami operation to retrieve bind DN for current connection """ See the full comment at https://github.com/freeipa/freeipa/pull/637#issuecomment-288453968 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#637][+pushed] ldap2: use LDAP whoami operation to retrieve bind DN for current connection
URL: https://github.com/freeipa/freeipa/pull/637 Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#637][closed] ldap2: use LDAP whoami operation to retrieve bind DN for current connection
URL: https://github.com/freeipa/freeipa/pull/637 Author: abbra Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/637/head:pr637 git checkout pr637 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#637][+ack] ldap2: use LDAP whoami operation to retrieve bind DN for current connection
URL: https://github.com/freeipa/freeipa/pull/637 Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#622][closed] replica prepare: fix wrong IPA CA nickname in replica file
URL: https://github.com/freeipa/freeipa/pull/622 Author: HonzaCholasta Title: #622: replica prepare: fix wrong IPA CA nickname in replica file Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/622/head:pr622 git checkout pr622 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#622][+pushed] replica prepare: fix wrong IPA CA nickname in replica file
URL: https://github.com/freeipa/freeipa/pull/622 Title: #622: replica prepare: fix wrong IPA CA nickname in replica file Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#622][comment] replica prepare: fix wrong IPA CA nickname in replica file
URL: https://github.com/freeipa/freeipa/pull/622 Title: #622: replica prepare: fix wrong IPA CA nickname in replica file martbab commented: """ master: * 9939aa53630a9c6a66e83140e64ec56539891c13 replica prepare: fix wrong IPA CA nickname in replica file ipa-4-5: * df60e88e1bca6efd5ebf2a88e7825a5fd2631f08 replica prepare: fix wrong IPA CA nickname in replica file """ See the full comment at https://github.com/freeipa/freeipa/pull/622#issuecomment-288425325 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#622][+ack] replica prepare: fix wrong IPA CA nickname in replica file
URL: https://github.com/freeipa/freeipa/pull/622 Title: #622: replica prepare: fix wrong IPA CA nickname in replica file Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#622][comment] replica prepare: fix wrong IPA CA nickname in replica file
URL: https://github.com/freeipa/freeipa/pull/622 Title: #622: replica prepare: fix wrong IPA CA nickname in replica file martbab commented: """ I ran into some issues with CA deployment, but they vanished after re-provisioning my test env. Otherwise it works. """ See the full comment at https://github.com/freeipa/freeipa/pull/622#issuecomment-288420027 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#615][closed] httpinstance: clean up /etc/httpd/alias on uninstall
URL: https://github.com/freeipa/freeipa/pull/615 Author: HonzaCholasta Title: #615: httpinstance: clean up /etc/httpd/alias on uninstall Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/615/head:pr615 git checkout pr615 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#615][comment] httpinstance: clean up /etc/httpd/alias on uninstall
URL: https://github.com/freeipa/freeipa/pull/615 Title: #615: httpinstance: clean up /etc/httpd/alias on uninstall martbab commented: """ ipa-4-5: * cf188c8513c6b36a0724866025ddc220683de8dc certs: do not implicitly create DS pin.txt * f788e3e36bcaefc7d94c92895916246681e64291 httpinstance: clean up /etc/httpd/alias on uninstall master: * bbd18cf10f2e67e5205a3a3bee883272e89c0042 certs: do not implicitly create DS pin.txt * e263cb46cba604421d5ed2e1dbf5dd1d66ce0221 httpinstance: clean up /etc/httpd/alias on uninstall """ See the full comment at https://github.com/freeipa/freeipa/pull/615#issuecomment-288406554 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#615][+pushed] httpinstance: clean up /etc/httpd/alias on uninstall
URL: https://github.com/freeipa/freeipa/pull/615 Title: #615: httpinstance: clean up /etc/httpd/alias on uninstall Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#615][+ack] httpinstance: clean up /etc/httpd/alias on uninstall
URL: https://github.com/freeipa/freeipa/pull/615 Title: #615: httpinstance: clean up /etc/httpd/alias on uninstall Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#627][synchronized] Add CI helper script invocation to Travis CI
URL: https://github.com/freeipa/freeipa/pull/627
Author: martbab
Title: #627: Add CI helper script invocation to Travis CI
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/627/head:pr627
git checkout pr627
From aec9f5ee65c3d3e0fd4b8ce3e31088d264a15132 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Mon, 20 Mar 2017 12:12:50 +0100
Subject: [PATCH] Travis CI: invoke integration test helper scripts before test
execution
This is to verify that all the executables are working properly (have
correct import paths etc.)
---
.test_runner_config.yaml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/.test_runner_config.yaml b/.test_runner_config.yaml
index 85c48be..4013505 100644
--- a/.test_runner_config.yaml
+++ b/.test_runner_config.yaml
@@ -59,6 +59,8 @@ steps:
- echo ${server_password} > ~/.ipa/.dmpw
- echo 'wait_for_dns=5' >> ~/.ipa/default.conf
run_tests:
+ - ipa-test-config --help
+ - ipa-test-task --help
- ipa-run-tests ${tests_ignore} -k-test_dns_soa ${tests_verbose} ${path}
tests:
ignore:
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#602][+pushed] configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in
URL: https://github.com/freeipa/freeipa/pull/602 Title: #602: configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
