[Freeipa-devel] [freeipa PR#785][comment] otptoken-add-yubikey: When --digits not provided use default value
URL: https://github.com/freeipa/freeipa/pull/785 Title: #785: otptoken-add-yubikey: When --digits not provided use default value stlaz commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/785#issuecomment-301708499 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#785][+ack] otptoken-add-yubikey: When --digits not provided use default value
URL: https://github.com/freeipa/freeipa/pull/785 Title: #785: otptoken-add-yubikey: When --digits not provided use default value Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#716][comment] Fix minor typos
URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos stlaz commented: """ I asked today at a meeting and the `ipaclient/remote_plugins/2_*/*.py` changes are fine. If you could possibly change the one small issue, we will finally be able tu push this :) """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-301492072 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#758][comment] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758 Title: #758: install: fix CA-less PKINIT stlaz commented: """ `kinit -n` still fails with my external CA setup. I found out the reason is that I have a self-sign certificate in the trust chain: ``` [36993] 1494834859.113259: PKINIT client could not verify DH reply [36993] 1494834859.113276: Preauth module pkinit (17) (real) returned: -1765328313/Failed to verify received certificate (depth 2): self signed certificate in certificate chain kinit: Invalid certificate while getting initial credentials ``` This does not happen without this patchset so the question is whether it is OK that this is happening or not. If so, we should add a check which would prevent this + probably warn our QA team because I guess this is just the way they are testing this, """ See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-301411948 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#758][comment] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758 Title: #758: install: fix CA-less PKINIT stlaz commented: """ `kinit -n` still fails with my setup. I found out the reason is that I have a self-sign certificate in the trust chain: ``` [36993] 1494834859.113259: PKINIT client could not verify DH reply [36993] 1494834859.113276: Preauth module pkinit (17) (real) returned: -1765328313/Failed to verify received certificate (depth 2): self signed certificate in certificate chain kinit: Invalid certificate while getting initial credentials ``` This does not happen without this patchset so the question is whether it is OK that this is happening or not. If so, we should add a check which would prevent this + probably warn our QA team because I guess this is just the way they are testing this, """ See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-301411948 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#758][comment] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758 Title: #758: install: fix CA-less PKINIT stlaz commented: """ `kinit -n` still fails with my setup. I found out the reason is that I have a self-sign certificate in the trust chain: ``` [36993] 1494834859.113259: PKINIT client could not verify DH reply [36993] 1494834859.113276: Preauth module pkinit (17) (real) returned: -1765328313/Failed to verify received certificate (depth 2): self signed certificate in certificate chain kinit: Invalid certificate while getting initial credentials ``` This does not happen without this patchset so the question is whether it is OK that this is happening or not. If so, we should add a check which would prevent this + probably warn our QA team because I guess this is just the way they are testing this, """ See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-301411948 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#783][edited] Provide useful messages during cert validation
URL: https://github.com/freeipa/freeipa/pull/783 Author: stlaz Title: #783: Provide useful messages during cert validation Action: edited Changed field: body Original value: """ When the certificate validation was replaced, some error messages were omitted (like "Peer's certificate expired."). Bring these back. """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#783][edited] Provide useful messages during cert validation
URL: https://github.com/freeipa/freeipa/pull/783 Author: stlaz Title: #783: Provide useful messages during cert validation Action: edited Changed field: body Original value: """ When the certificate verification was replaced, some error messages were omitted (like "Peer's certificate expired."). Bring these back. """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#783][edited] Provide useful messages during cert verification
URL: https://github.com/freeipa/freeipa/pull/783 Author: stlaz Title: #783: Provide useful messages during cert verification Action: edited Changed field: title Original value: """ Provide useful messages during cert verification """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#783][synchronized] Provide useful messages during cert verification
URL: https://github.com/freeipa/freeipa/pull/783 Author: stlaz Title: #783: Provide useful messages during cert verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/783/head:pr783 git checkout pr783 From 3c56e3d293f1ab872dddb185b368177e34796d97 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 12 May 2017 10:41:08 +0200 Subject: [PATCH] Provide useful messages during cert validation When the certificate validation was replaced, some error messages were omitted (like "Peer's certificate expired."). Bring these back. https://pagure.io/freeipa/issue/6945 --- ipapython/certdb.py | 26 -- ipatests/test_integration/test_caless.py | 32 ++-- 2 files changed, 34 insertions(+), 24 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 4d7f6e7..b86a705 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -52,6 +52,8 @@ NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") +BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.' + def get_ca_nickname(realm, format=CA_NICKNAME_FMT): return format % realm @@ -547,9 +549,15 @@ def verify_server_cert_validity(self, nickname, hostname): cert = x509.load_certificate(cert, x509.DER) try: -self.run_certutil(['-V', '-n', nickname, '-u', 'V']) -except ipautil.CalledProcessError: -raise ValueError('invalid for a SSL server') +self.run_certutil(['-V', '-n', nickname, '-u', 'V'], + capture_output=True) +except ipautil.CalledProcessError as e: +# certutil output in case of error is +# 'certutil: certificate is invalid: \n' +msg = e.output.split(': ')[2].strip() +if msg == BAD_USAGE_ERR: +msg = 'invalid for a SSL server.' +raise ValueError(msg) try: x509.match_hostname(cert, hostname) @@ -573,6 +581,12 @@ def verify_ca_cert_validity(self, nickname): raise ValueError("not a CA certificate") try: -self.run_certutil(['-V', '-n', nickname, '-u', 'L']) -except ipautil.CalledProcessError: -raise ValueError('invalid for a CA') +self.run_certutil(['-V', '-n', nickname, '-u', 'L'], + capture_output=True) +except ipautil.CalledProcessError as e: +# certutil output in case of error is +# 'certutil: certificate is invalid: \n' +msg = e.output.split(': ')[2].strip() +if msg == BAD_USAGE_ERR: +msg = 'invalid for a CA.' +raise ValueError(msg) diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index d7692ec..62ebba3 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -38,6 +38,8 @@ assert_error = tasks.assert_error +CERT_EXPIRED_MSG = "Peer's Certificate has expired." + def get_install_stdin(cert_passwords=()): lines = [ @@ -495,9 +497,8 @@ def test_expired_http(self): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in http.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) @server_install_teardown def test_expired_ds(self): @@ -511,9 +512,8 @@ def test_expired_ds(self): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in dirsrv.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in dirsrv.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) @server_install_teardown def test_http_bad_usage(self): @@ -884,9 +884,8 @@ def test_expired_http(self): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in http.p12
[Freeipa-devel] [freeipa PR#783][synchronized] Provide useful messages during cert verification
URL: https://github.com/freeipa/freeipa/pull/783 Author: stlaz Title: #783: Provide useful messages during cert verification Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/783/head:pr783 git checkout pr783 From a811c5fb7d1ee68c8f987e1ca228af58326f9a3a Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 12 May 2017 10:41:08 +0200 Subject: [PATCH] Provide useful messages during cert verification When the certificate verification was replaced, some error messages were omitted (like "Peer's certificate expired."). Bring these back. https://pagure.io/freeipa/issue/6945 --- ipapython/certdb.py | 26 -- ipatests/test_integration/test_caless.py | 32 ++-- 2 files changed, 34 insertions(+), 24 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 4d7f6e7..b86a705 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -52,6 +52,8 @@ NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") +BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.' + def get_ca_nickname(realm, format=CA_NICKNAME_FMT): return format % realm @@ -547,9 +549,15 @@ def verify_server_cert_validity(self, nickname, hostname): cert = x509.load_certificate(cert, x509.DER) try: -self.run_certutil(['-V', '-n', nickname, '-u', 'V']) -except ipautil.CalledProcessError: -raise ValueError('invalid for a SSL server') +self.run_certutil(['-V', '-n', nickname, '-u', 'V'], + capture_output=True) +except ipautil.CalledProcessError as e: +# certutil output in case of error is +# 'certutil: certificate is invalid: \n' +msg = e.output.split(': ')[2].strip() +if msg == BAD_USAGE_ERR: +msg = 'invalid for a SSL server.' +raise ValueError(msg) try: x509.match_hostname(cert, hostname) @@ -573,6 +581,12 @@ def verify_ca_cert_validity(self, nickname): raise ValueError("not a CA certificate") try: -self.run_certutil(['-V', '-n', nickname, '-u', 'L']) -except ipautil.CalledProcessError: -raise ValueError('invalid for a CA') +self.run_certutil(['-V', '-n', nickname, '-u', 'L'], + capture_output=True) +except ipautil.CalledProcessError as e: +# certutil output in case of error is +# 'certutil: certificate is invalid: \n' +msg = e.output.split(': ')[2].strip() +if msg == BAD_USAGE_ERR: +msg = 'invalid for a CA.' +raise ValueError(msg) diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index d7692ec..62ebba3 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -38,6 +38,8 @@ assert_error = tasks.assert_error +CERT_EXPIRED_MSG = "Peer's Certificate has expired." + def get_install_stdin(cert_passwords=()): lines = [ @@ -495,9 +497,8 @@ def test_expired_http(self): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in http.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) @server_install_teardown def test_expired_ds(self): @@ -511,9 +512,8 @@ def test_expired_ds(self): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in dirsrv.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in dirsrv.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) @server_install_teardown def test_http_bad_usage(self): @@ -884,9 +884,8 @@ def test_expired_http(self): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + '
[Freeipa-devel] [freeipa PR#757][comment] ca, kra install: validate DM password
URL: https://github.com/freeipa/freeipa/pull/757 Title: #757: ca, kra install: validate DM password stlaz commented: """ You forgot an import in ipa-ca-install: ``` * Module ipa-ca-install install/tools/ipa-ca-install:37: [W0611(unused-import), ] Unused ScriptError imported from ipapython.admintool) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/757#issuecomment-301058163 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#728][comment] ipa-cacert-manage: add --external-ca-type
URL: https://github.com/freeipa/freeipa/pull/728 Title: #728: ipa-cacert-manage: add --external-ca-type stlaz commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/728#issuecomment-301043646 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#783][opened] Provide useful messages during cert verification
URL: https://github.com/freeipa/freeipa/pull/783 Author: stlaz Title: #783: Provide useful messages during cert verification Action: opened PR body: """ When the certificate verification was replaced, some error messages were omitted (like "Peer's certificate expired."). Bring these back. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/783/head:pr783 git checkout pr783 From 159ed99baebf29fcd928e5fdbc27036564243414 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 12 May 2017 10:41:08 +0200 Subject: [PATCH] Provide useful messages during cert verification When the certificate verification was replaced, some error messages were omitted (like "Peer's certificate expired."). Bring these back. --- ipapython/certdb.py | 26 -- ipatests/test_integration/test_caless.py | 32 ++-- 2 files changed, 34 insertions(+), 24 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 4d7f6e7..b86a705 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -52,6 +52,8 @@ NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") +BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.' + def get_ca_nickname(realm, format=CA_NICKNAME_FMT): return format % realm @@ -547,9 +549,15 @@ def verify_server_cert_validity(self, nickname, hostname): cert = x509.load_certificate(cert, x509.DER) try: -self.run_certutil(['-V', '-n', nickname, '-u', 'V']) -except ipautil.CalledProcessError: -raise ValueError('invalid for a SSL server') +self.run_certutil(['-V', '-n', nickname, '-u', 'V'], + capture_output=True) +except ipautil.CalledProcessError as e: +# certutil output in case of error is +# 'certutil: certificate is invalid: \n' +msg = e.output.split(': ')[2].strip() +if msg == BAD_USAGE_ERR: +msg = 'invalid for a SSL server.' +raise ValueError(msg) try: x509.match_hostname(cert, hostname) @@ -573,6 +581,12 @@ def verify_ca_cert_validity(self, nickname): raise ValueError("not a CA certificate") try: -self.run_certutil(['-V', '-n', nickname, '-u', 'L']) -except ipautil.CalledProcessError: -raise ValueError('invalid for a CA') +self.run_certutil(['-V', '-n', nickname, '-u', 'L'], + capture_output=True) +except ipautil.CalledProcessError as e: +# certutil output in case of error is +# 'certutil: certificate is invalid: \n' +msg = e.output.split(': ')[2].strip() +if msg == BAD_USAGE_ERR: +msg = 'invalid for a CA.' +raise ValueError(msg) diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index d7692ec..62ebba3 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -38,6 +38,8 @@ assert_error = tasks.assert_error +CERT_EXPIRED_MSG = "Peer's Certificate has expired." + def get_install_stdin(cert_passwords=()): lines = [ @@ -495,9 +497,8 @@ def test_expired_http(self): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in http.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) @server_install_teardown def test_expired_ds(self): @@ -511,9 +512,8 @@ def test_expired_ds(self): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in dirsrv.p12 is not valid: ' - "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " - 'expired.') + 'The server certificate in dirsrv.p12 is not valid: {err}' + .format(err=CERT_EXPIRED_MSG)) @server_install_teardown def test_http_bad_usage(self): @@ -884,9 +884,8 @@ def test_expired_http(self): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'The server certificate in http.p12 is not valid: ' - &
[Freeipa-devel] [freeipa PR#774][synchronized] Deprecate pkinit-anonymous command
URL: https://github.com/freeipa/freeipa/pull/774 Author: stlaz Title: #774: Deprecate pkinit-anonymous command Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/774/head:pr774 git checkout pr774 From 02e9b01ea1827de218f29279c5707cd5ec87103f Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 10 May 2017 15:54:21 +0200 Subject: [PATCH] Deprecate pkinit-anonymous command Ever since from v4.5, FreeIPA expects at least some kind of anonymous PKINIT to work. Deprecate the command which is capable of turning this feature off. https://pagure.io/freeipa/issue/6936 --- API.txt | 2 +- VERSION.m4 | 4 +-- ipaserver/plugins/pkinit.py | 74 ++--- 3 files changed, 19 insertions(+), 61 deletions(-) diff --git a/API.txt b/API.txt index fa7582d..afd664e 100644 --- a/API.txt +++ b/API.txt @@ -3738,7 +3738,7 @@ option: Str('version?') output: Output('summary', type=[, ]) command: pkinit_anonymous/1 args: 1,1,1 -arg: Str('action') +arg: Str('action?') option: Str('version?') output: Output('result') command: plugins/1 diff --git a/VERSION.m4 b/VERSION.m4 index 6ec56c5..d915fe3 100644 --- a/VERSION.m4 +++ b/VERSION.m4 @@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412) # # define(IPA_API_VERSION_MAJOR, 2) -define(IPA_API_VERSION_MINOR, 225) -# Last change: Add --password-expiration option to force password change +define(IPA_API_VERSION_MINOR, 226) +# Last change: Deprecate the pkinit-anonymous command diff --git a/ipaserver/plugins/pkinit.py b/ipaserver/plugins/pkinit.py index b6b3f38..81e6449 100644 --- a/ipaserver/plugins/pkinit.py +++ b/ipaserver/plugins/pkinit.py @@ -17,36 +17,21 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -from ipalib import api, errors from ipalib import Str from ipalib import Object, Command from ipalib import _ +from ipalib import messages from ipalib.plugable import Registry -from ipalib.constants import ANON_USER -from ipapython.dn import DN __doc__ = _(""" Kerberos pkinit options -Enable or disable anonymous pkinit using the principal -WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with -pkinit support. - -EXAMPLES: - - Enable anonymous pkinit: - ipa pkinit-anonymous enable - - Disable anonymous pkinit: - ipa pkinit-anonymous disable - -For more information on anonymous pkinit see: - -http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit +This module is deprecated since FreeIPA 4.5.1 """) register = Registry() + @register() class pkinit(Object): """ @@ -57,49 +42,22 @@ class pkinit(Object): label=_('PKINIT') -def valid_arg(ugettext, action): -""" -Accepts only Enable/Disable. -""" -a = action.lower() -if a != 'enable' and a != 'disable': -raise errors.ValidationError( -name='action', -error=_('Unknown command %s') % action -) - @register() class pkinit_anonymous(Command): -__doc__ = _('Enable or Disable Anonymous PKINIT.') - -princ_name = '%s@%s' % (ANON_USER, api.env.realm) -default_dn = DN(('krbprincipalname', princ_name), ('cn', api.env.realm), ('cn', 'kerberos'), api.env.basedn) +__doc__ = _('Originally to enable or disable Anonymous PKINIT.\n' +'Deprecated since FreeIPA 4.5.1') takes_args = ( -Str('action', valid_arg), +Str('action?'), ) -def execute(self, action, **options): -ldap = self.api.Backend.ldap2 -set_lock = False -lock = None - -entry_attrs = ldap.get_entry(self.default_dn, ['nsaccountlock']) - -if 'nsaccountlock' in entry_attrs: -lock = entry_attrs['nsaccountlock'][0].lower() - -if action.lower() == 'enable': -if lock == 'true': -set_lock = True -lock = None -elif action.lower() == 'disable': -if lock != 'true': -set_lock = True -lock = 'TRUE' - -if set_lock: -entry_attrs['nsaccountlock'] = lock -ldap.update_entry(entry_attrs) - -return dict(result=True) +def execute(self, action=None, **options): +self.add_message( +messages.CommandDeprecatedWarning( +command='pkinit-anonymous', +additional_info=_('This command was deprecated in ' + 'FreeIPA 4.5.1 because Anonymous PKINIT is ' + 'required for the system to work.')
[Freeipa-devel] [freeipa PR#774][synchronized] Deprecate pkinit-anonymous command
URL: https://github.com/freeipa/freeipa/pull/774 Author: stlaz Title: #774: Deprecate pkinit-anonymous command Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/774/head:pr774 git checkout pr774 From 09bc1fe1bcd9c7729a8619982d16c18e23a5af20 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 10 May 2017 15:54:21 +0200 Subject: [PATCH] Deprecate pkinit-anonymous command Ever since from v4.5, FreeIPA expects at least some kind of anonymous PKINIT to work. Deprecate the command which is capable of turning this feature off. https://pagure.io/freeipa/issue/6936 --- API.txt | 2 +- VERSION.m4 | 4 +-- ipaserver/plugins/pkinit.py | 74 ++--- 3 files changed, 19 insertions(+), 61 deletions(-) diff --git a/API.txt b/API.txt index fa7582d..afd664e 100644 --- a/API.txt +++ b/API.txt @@ -3738,7 +3738,7 @@ option: Str('version?') output: Output('summary', type=[, ]) command: pkinit_anonymous/1 args: 1,1,1 -arg: Str('action') +arg: Str('action?') option: Str('version?') output: Output('result') command: plugins/1 diff --git a/VERSION.m4 b/VERSION.m4 index 6ec56c5..d915fe3 100644 --- a/VERSION.m4 +++ b/VERSION.m4 @@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412) # # define(IPA_API_VERSION_MAJOR, 2) -define(IPA_API_VERSION_MINOR, 225) -# Last change: Add --password-expiration option to force password change +define(IPA_API_VERSION_MINOR, 226) +# Last change: Deprecate the pkinit-anonymous command diff --git a/ipaserver/plugins/pkinit.py b/ipaserver/plugins/pkinit.py index b6b3f38..9d58c6e 100644 --- a/ipaserver/plugins/pkinit.py +++ b/ipaserver/plugins/pkinit.py @@ -17,36 +17,21 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -from ipalib import api, errors from ipalib import Str from ipalib import Object, Command from ipalib import _ +from ipalib import messages from ipalib.plugable import Registry -from ipalib.constants import ANON_USER -from ipapython.dn import DN __doc__ = _(""" Kerberos pkinit options -Enable or disable anonymous pkinit using the principal -WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with -pkinit support. - -EXAMPLES: - - Enable anonymous pkinit: - ipa pkinit-anonymous enable - - Disable anonymous pkinit: - ipa pkinit-anonymous disable - -For more information on anonymous pkinit see: - -http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit +This module is deprecated since FreeIPA 4.5.1 """) register = Registry() + @register() class pkinit(Object): """ @@ -57,49 +42,22 @@ class pkinit(Object): label=_('PKINIT') -def valid_arg(ugettext, action): -""" -Accepts only Enable/Disable. -""" -a = action.lower() -if a != 'enable' and a != 'disable': -raise errors.ValidationError( -name='action', -error=_('Unknown command %s') % action -) - @register() class pkinit_anonymous(Command): -__doc__ = _('Enable or Disable Anonymous PKINIT.') - -princ_name = '%s@%s' % (ANON_USER, api.env.realm) -default_dn = DN(('krbprincipalname', princ_name), ('cn', api.env.realm), ('cn', 'kerberos'), api.env.basedn) +__doc__ = _('Originally to enable or disable Anonymous PKINIT.\n' +'Deprecated since FreeIPA 4.5.1') takes_args = ( -Str('action', valid_arg), +Str('action?'), ) -def execute(self, action, **options): -ldap = self.api.Backend.ldap2 -set_lock = False -lock = None - -entry_attrs = ldap.get_entry(self.default_dn, ['nsaccountlock']) - -if 'nsaccountlock' in entry_attrs: -lock = entry_attrs['nsaccountlock'][0].lower() - -if action.lower() == 'enable': -if lock == 'true': -set_lock = True -lock = None -elif action.lower() == 'disable': -if lock != 'true': -set_lock = True -lock = 'TRUE' - -if set_lock: -entry_attrs['nsaccountlock'] = lock -ldap.update_entry(entry_attrs) - -return dict(result=True) +def execute(self, **options): +self.add_message( +messages.CommandDeprecatedWarning( +command='pkinit-anonymous', +additional_info=_('This command was deprecated in ' + 'FreeIPA 4.5.1 because Anonymous PKINIT is ' + 'required for the system to work.')
[Freeipa-devel] [freeipa PR#761][comment] Fixing adding authenticator indicators to host
URL: https://github.com/freeipa/freeipa/pull/761 Title: #761: Fixing adding authenticator indicators to host stlaz commented: """ Yes, that seems to have fixed that. Please do squash them now, I guess we can ACK this ;) """ See the full comment at https://github.com/freeipa/freeipa/pull/761#issuecomment-300493147 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#774][opened] Deprecate pkinit-anonymous command
URL: https://github.com/freeipa/freeipa/pull/774 Author: stlaz Title: #774: Deprecate pkinit-anonymous command Action: opened PR body: """ Ever since from v4.5, FreeIPA expects at least some kind of anonymous PKINIT to work. Deprecate the command which is capable of turning this feature off. https://pagure.io/freeipa/issue/6936 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/774/head:pr774 git checkout pr774 From 83d1b5170ebe9ad1c01c75d6738c3d0fd59c0ef1 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 10 May 2017 15:54:21 +0200 Subject: [PATCH] Deprecate pkinit-anonymous command Ever since from v4.5, FreeIPA expects at least some kind of anonymous PKINIT to work. Deprecate the command which is capable of turning this feature off. https://pagure.io/freeipa/issue/6936 --- ipaserver/plugins/pkinit.py | 74 ++--- 1 file changed, 16 insertions(+), 58 deletions(-) diff --git a/ipaserver/plugins/pkinit.py b/ipaserver/plugins/pkinit.py index b6b3f38..9d58c6e 100644 --- a/ipaserver/plugins/pkinit.py +++ b/ipaserver/plugins/pkinit.py @@ -17,36 +17,21 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -from ipalib import api, errors from ipalib import Str from ipalib import Object, Command from ipalib import _ +from ipalib import messages from ipalib.plugable import Registry -from ipalib.constants import ANON_USER -from ipapython.dn import DN __doc__ = _(""" Kerberos pkinit options -Enable or disable anonymous pkinit using the principal -WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with -pkinit support. - -EXAMPLES: - - Enable anonymous pkinit: - ipa pkinit-anonymous enable - - Disable anonymous pkinit: - ipa pkinit-anonymous disable - -For more information on anonymous pkinit see: - -http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit +This module is deprecated since FreeIPA 4.5.1 """) register = Registry() + @register() class pkinit(Object): """ @@ -57,49 +42,22 @@ class pkinit(Object): label=_('PKINIT') -def valid_arg(ugettext, action): -""" -Accepts only Enable/Disable. -""" -a = action.lower() -if a != 'enable' and a != 'disable': -raise errors.ValidationError( -name='action', -error=_('Unknown command %s') % action -) - @register() class pkinit_anonymous(Command): -__doc__ = _('Enable or Disable Anonymous PKINIT.') - -princ_name = '%s@%s' % (ANON_USER, api.env.realm) -default_dn = DN(('krbprincipalname', princ_name), ('cn', api.env.realm), ('cn', 'kerberos'), api.env.basedn) +__doc__ = _('Originally to enable or disable Anonymous PKINIT.\n' +'Deprecated since FreeIPA 4.5.1') takes_args = ( -Str('action', valid_arg), +Str('action?'), ) -def execute(self, action, **options): -ldap = self.api.Backend.ldap2 -set_lock = False -lock = None - -entry_attrs = ldap.get_entry(self.default_dn, ['nsaccountlock']) - -if 'nsaccountlock' in entry_attrs: -lock = entry_attrs['nsaccountlock'][0].lower() - -if action.lower() == 'enable': -if lock == 'true': -set_lock = True -lock = None -elif action.lower() == 'disable': -if lock != 'true': -set_lock = True -lock = 'TRUE' - -if set_lock: -entry_attrs['nsaccountlock'] = lock -ldap.update_entry(entry_attrs) - -return dict(result=True) +def execute(self, **options): +self.add_message( +messages.CommandDeprecatedWarning( +command='pkinit-anonymous', +additional_info=_('This command was deprecated in ' + 'FreeIPA 4.5.1 because Anonymous PKINIT is ' + 'required for the system to work.') +) +) +return {'result': None} -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#770][+ack] cert-show: writable files does not mean dirs
URL: https://github.com/freeipa/freeipa/pull/770 Title: #770: cert-show: writable files does not mean dirs Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#771][synchronized] cert-show: check if certificate_out is in options
URL: https://github.com/freeipa/freeipa/pull/771 Author: stlaz Title: #771: cert-show: check if certificate_out is in options Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/771/head:pr771 git checkout pr771 From cc2eb10ab57403d9ac5bd7b2680491f129af89bc Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 9 May 2017 17:45:20 +0200 Subject: [PATCH] ca/cert-show: check certificate_out in options If --certificate-out was specified on the command line, it will appear among the options. If it was empty, it will be None. This check was done properly in the ca plugin. Lets' just unify how this is handled and improve user experience by announcing which option causes the failure. https://pagure.io/freeipa/issue/6885 --- ipaclient/plugins/ca.py | 8 ++-- ipaclient/plugins/cert.py | 12 +--- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/ipaclient/plugins/ca.py b/ipaclient/plugins/ca.py index fcdf484..fe9c55f 100644 --- a/ipaclient/plugins/ca.py +++ b/ipaclient/plugins/ca.py @@ -4,7 +4,7 @@ import base64 from ipaclient.frontend import MethodOverride -from ipalib import util, x509, Str +from ipalib import errors, util, x509, Str from ipalib.plugable import Registry from ipalib.text import _ @@ -26,7 +26,11 @@ def forward(self, *keys, **options): filename = None if 'certificate_out' in options: filename = options.pop('certificate_out') -util.check_writable_file(filename) +try: +util.check_writable_file(filename) +except errors.FileError as e: +raise errors.ValidationError(name='certificate-out', + error=str(e)) result = super(WithCertOutArgs, self).forward(*keys, **options) if filename: diff --git a/ipaclient/plugins/cert.py b/ipaclient/plugins/cert.py index a4ee9a9..541b82a 100644 --- a/ipaclient/plugins/cert.py +++ b/ipaclient/plugins/cert.py @@ -49,9 +49,15 @@ class CertRetrieveOverride(MethodOverride): ) def forward(self, *args, **options): -certificate_out = options.pop('certificate_out', None) -if certificate_out is not None: -util.check_writable_file(certificate_out) +if 'certificate_out' in options: +certificate_out = options.pop('certificate_out') +try: +util.check_writable_file(certificate_out) +except errors.FileError as e: +raise errors.ValidationError(name='certificate-out', + error=str(e)) +else: +certificate_out = None result = super(CertRetrieveOverride, self).forward(*args, **options) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#771][opened] cert-show: check if certificate_out is in options
URL: https://github.com/freeipa/freeipa/pull/771 Author: stlaz Title: #771: cert-show: check if certificate_out is in options Action: opened PR body: """ If --certificate-out was specified on the command line, it will appear among the options. If it was empty, it will be None, though. https://pagure.io/freeipa/issue/6885 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/771/head:pr771 git checkout pr771 From 46db5c88fa85915f56def93ae7ea20b34b2aac32 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 9 May 2017 17:45:20 +0200 Subject: [PATCH] cert-show: check if certificate_out is in options If --certificate-out was specified on the command line, it will appear among the options. If it was empty, it will be None, though. https://pagure.io/freeipa/issue/6885 --- ipaclient/plugins/cert.py | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/ipaclient/plugins/cert.py b/ipaclient/plugins/cert.py index a4ee9a9..1809de0 100644 --- a/ipaclient/plugins/cert.py +++ b/ipaclient/plugins/cert.py @@ -49,9 +49,14 @@ class CertRetrieveOverride(MethodOverride): ) def forward(self, *args, **options): -certificate_out = options.pop('certificate_out', None) -if certificate_out is not None: +if 'certificate_out' in options: +certificate_out = options.pop('certificate_out') +if certificate_out is None: +raise errors.ValidationError(name='certificate-out', + error=_(u'cannot be empty')) util.check_writable_file(certificate_out) +else: +certificate_out = None result = super(CertRetrieveOverride, self).forward(*args, **options) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#770][opened] cert-show: writable files does not mean dirs
URL: https://github.com/freeipa/freeipa/pull/770 Author: stlaz Title: #770: cert-show: writable files does not mean dirs Action: opened PR body: """ ipalib.util.check_writable_file didn't check whether the argument is an actual file which is now fixed. https://pagure.io/freeipa/issue/6883 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/770/head:pr770 git checkout pr770 From 8e14e41045971193649e8f3acc0bbab0c053b7a8 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 9 May 2017 17:49:56 +0200 Subject: [PATCH] cert-show: writable files does not mean dirs ipalib.util.check_writable_file didn't check whether the argument is an actual file which is now fixed. https://pagure.io/freeipa/issue/6883 --- ipalib/util.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/util.py b/ipalib/util.py index e9d4105..f89ac14 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -171,7 +171,7 @@ def check_writable_file(filename): if filename is None: raise errors.FileError(reason=_('Filename is empty')) try: -if os.path.exists(filename): +if os.path.isfile(filename): if not os.access(filename, os.W_OK): raise errors.FileError(reason=_('Permission denied: %(file)s') % dict(file=filename)) else: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2
URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 stlaz commented: """ Alright, thanks. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/760#issuecomment-300146298 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#760][+ack] [4.4] Run ipa-custodia under Python 2
URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2
URL: https://github.com/freeipa/freeipa/pull/760 Title: #760: [4.4] Run ipa-custodia under Python 2 stlaz commented: """ Works for me. However, I do not see the reason to do `custodia > 0.2`, please, either provide some or remove it. """ See the full comment at https://github.com/freeipa/freeipa/pull/760#issuecomment-300140520 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA
URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA stlaz commented: """ @pvoborni @rcritten @martbab This discussion at this PR makes no sense. Clearly we can see that the impact is much higher and should be discussed on designated channels, meaning either **freeipa-devel** mailing list or in our issue tracking system (the former would be preferable with having the result in the latter). I believe that the guys from the Dogtag project could also have a great insight on this. Here's questions which should answer why I want this to be discussed there: - how to handle users so they don't use `ipa-ca-install --uninstall` any time? - at which point is the installation recoverable and when it's not? - describe what happens in each and every step, mention which files and entries are created - on master - on replica - describe what has to be done in case a step fails for each and every step - on master - on replica - describe how `ipa-ca-install` rollback should behave when installing first CA in a CA-less setup These problems are just from the top of my head and I am a CA installation noob. I would however be very cautious not knowing an answer to either of those. @rcritten if you do know the answers, please, share them with us (or maybe just me because I sure don't know them), it would help a lot with deciding on where to go from here. """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-300120774 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#758][comment] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758 Title: #758: install: fix CA-less PKINIT stlaz commented: """ External CA (rebased on current master to be able to install): ``` $ kinit -n kinit: Invalid certificate while getting initial credentials $ /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_9588 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/kerberos/krb5kdc/cacert.pem kinit: Invalid certificate while getting initial credentials ``` and on replica: ``` $ kinit -n kinit: Preauthentication failed while getting initial credentials ``` => this breaks WebUI on external CA installations. = CA-less with `--no-pkinit`: ``` $ kinit -n kinit: Preauthentication failed while getting initial credentials ``` but I guess that's expected, WebUI works since the following does work as well: ``` $ /usr/bin/kinit -n -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/kerberos/krb5kdc/cacert.pem ``` = In CA-less with PKINIT options, `kinit -n` works fine, although replica installation will produce: ``` Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT ipa : ERRORPKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE) ipa : ERRORFailed to configure PKINIT Done configuring Kerberos KDC (krb5kdc). ``` when run with own PKINIT certificate from `--pkinit-cert-file` option. I don't think it should be asking any CA for a certificate if we already have the certificate. """ See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-300097018 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#763][edited] Dogtag fail
URL: https://github.com/freeipa/freeipa/pull/763 Author: stlaz Title: #763: Dogtag fail Action: edited Changed field: title Original value: """ Dogtag fail """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#763][opened] Dogtag fail
URL: https://github.com/freeipa/freeipa/pull/763 Author: stlaz Title: #763: Dogtag fail Action: opened PR body: """ **Make CA/KRA fail when they don't start** Since all the services throw exceptions when we're unable to start/restart them, CA/KRA should not be an exception to it. **Fix wrong message on Dogtag instances stop** https://pagure.io/freeipa/issue/6766 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/763/head:pr763 git checkout pr763 From c3ab7b00b28bd349119371a214a3a3a22ab4c133 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 4 May 2017 14:58:46 +0200 Subject: [PATCH 1/2] Make CA/KRA fail when they don't start Since all the services throw exceptions when we're unable to start/restart them, CA/KRA should not be an exception to it. https://pagure.io/freeipa/issue/6766 --- ipaserver/install/dogtaginstance.py | 16 ++-- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 356358a..f79031b 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -156,22 +156,10 @@ def clean_pkispawn_files(self): ignore_errors=True) def restart_instance(self): -try: -self.restart('pki-tomcat') -except Exception: -self.log.debug(traceback.format_exc()) -self.log.critical( -"Failed to restart the Dogtag instance." -"See the installation log for details.") +self.restart('pki-tomcat') def start_instance(self): -try: -self.start('pki-tomcat') -except Exception: -self.log.debug(traceback.format_exc()) -self.log.critical( -"Failed to restart the Dogtag instance." -"See the installation log for details.") +self.start('pki-tomcat') def stop_instance(self): try: From fd1b004ea772fff154199f79a2750eaf45fab14e Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 4 May 2017 15:00:33 +0200 Subject: [PATCH 2/2] Fix wrong message on Dogtag instances stop https://pagure.io/freeipa/issue/6766 --- ipaserver/install/dogtaginstance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index f79031b..831d996 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -167,7 +167,7 @@ def stop_instance(self): except Exception: self.log.debug(traceback.format_exc()) self.log.critical( -"Failed to restart the Dogtag instance." +"Failed to stop the Dogtag instance." "See the installation log for details.") def enable_client_auth_to_db(self, config): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#753][+ack] Check CA status: add HTTP timeout
URL: https://github.com/freeipa/freeipa/pull/753 Title: #753: Check CA status: add HTTP timeout Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#716][comment] Fix minor typos
URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos stlaz commented: """ Except for the one change I pointed out, this is all OK with me. The only thing I am not sure is whether we can go changing the doc texts in `ipaclient/remote_plugins/2_*/*.py` since these are kept for backward compatibility but I hope someone can clear this out for me. If you could possibly remove the change at the line I noted, I will ACK this as soon as we can be sure about those changes in the `remote_plugins/` directory. """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-299122208 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#762][opened] fix managed-entries printing IPA not installed
URL: https://github.com/freeipa/freeipa/pull/762 Author: stlaz Title: #762: fix managed-entries printing IPA not installed Action: opened PR body: """ ipa-managed-entries would print "IPA is not configured on this system." even though this is not true if run as a normal user. Add check for root running the script. https://pagure.io/freeipa/issue/6928 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/762/head:pr762 git checkout pr762 From 85deb5f7323fbeb490ae3d2195811b80a1844ad8 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 4 May 2017 09:42:36 +0200 Subject: [PATCH] fix managed-entries printing IPA not installed ipa-managed-entries would print "IPA is not configured on this system." even though this is not true if run as a normal user. Add check for root running the script. https://pagure.io/freeipa/issue/6928 --- install/tools/ipa-managed-entries | 3 +++ 1 file changed, 3 insertions(+) diff --git a/install/tools/ipa-managed-entries b/install/tools/ipa-managed-entries index 731dcc3..4aceee5 100755 --- a/install/tools/ipa-managed-entries +++ b/install/tools/ipa-managed-entries @@ -20,6 +20,7 @@ from __future__ import print_function +import os import re import sys from optparse import OptionParser # pylint: disable=deprecated-module @@ -193,4 +194,6 @@ def main(): return retval if __name__ == '__main__': +if not os.geteuid() == 0: +sys.exit("\nMust be run as root\n") installutils.run_script(main, operation_name='ipa-managed-entries') -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#726][comment] Add check for directory name
URL: https://github.com/freeipa/freeipa/pull/726 Title: #726: Add check for directory name stlaz commented: """ Obviously we can't push this until the tests pass. """ See the full comment at https://github.com/freeipa/freeipa/pull/726#issuecomment-299112001 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#757][comment] ca, kra install: validate DM password
URL: https://github.com/freeipa/freeipa/pull/757 Title: #757: ca, kra install: validate DM password stlaz commented: """ There will be no more sys.exits. This patchset shall not be ACKed until all have been removed. """ See the full comment at https://github.com/freeipa/freeipa/pull/757#issuecomment-29913 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#761][comment] Fixing adding authenticator indicators to host
URL: https://github.com/freeipa/freeipa/pull/761 Title: #761: Fixing adding authenticator indicators to host stlaz commented: """ ``` * Module ipaserver.plugins.host ipaserver/plugins/host.py:887: [C0303(trailing-whitespace), ] Trailing whitespace) ``` \+ wrong author in the commit """ See the full comment at https://github.com/freeipa/freeipa/pull/761#issuecomment-299104113 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][+ack] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ Removing the ACK to retest on 4.4.4 with Fedora custodia version. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298916263 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][-ack] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][+ack] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ Will do, ACKing this in the meantime. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298913680 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ It seems that replica install fails even without this patch so it's OK to go with it? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298892918 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ Not sure, I will try that. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298890816 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ I was able to do it two times in a row with the same master, I can try to reinstall both the master and replica if you want. What do you mean "unclean"? It's a clean 4.4.4 master, no code changes, `/etc/httpd/alias` and `/etc/pki/pki-tomcat/alias` NSS databases seem fine, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-29556 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ I was able to do it two times in a row with the same master, I can try to reinstall both the master and replica if you want. What do you mean "unclean"? It's a clean 4.4.4 master, no code changes, `/etc/httpd/alias` and `/etc/pki/pki-tomcat/alias` NSS databases seem fine, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-29556 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ Seems to work fine against current master, but fails with ``` Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR 503 Server Error: Service Unavailable for url: https://vm-096.abc.idm.lab.eng.brq.redhat.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.k6y2jmI8oxRIsieU93_RzG5mZU_u_DPW2XL2jjLukYPZ3oZOkLkufof0fBeH6LAR66aL9m5C9j26GmhlTqNsm2FUQT7Xql975rYR3veooDwLQlPx6k4X1J4CTEeSsf7RVj8KfLE5e4K-nW1hTyepsbm7RDAA_-tbLvWzEqCQ0I3bfpPEDmlML08FA9T_yuPb1FkT0-lSCLV5PHya4tOB3R2q5CHC2b6BpwZQtbVW8eohshEmJMTO2NMAyPlfJscgSHYmhi6oliToV_Dh90Ej1UH_S0UOkHLsvIV5IoW4EGeaGdeHwHo4GsSGHGN3exVxWk9GShhJ_WJ-dlXSGQ_9CA.SfWWO_VrqzKKX3EYSh3E1Q.n4GtjcFZOQSZmAG9MShIQVtfRv_N3jEQMS46rLGUU6xIS-BYBL0Xq1UWP6VFrZW-g96Iqe2PIBhv4m1FsuAzP_gzac1lCr2ghcVuj3rAUg81G5s8vPuYNl_Ur5UVlQ2LtWzGLc26s1z_43MF7qCl8iayvXqnweK8_kj54F1RUJ-Awp0--Z4mnK_FFrPU4BBW2_EjZ1tOR8dV7NnxnN2Gd2tiDFl6Kkbj91rf6Bo2f8telN5RJsX52PsNW2z-l78TOIAKY4qfHhSVz31RO3xgUbyu3yQ79sGIxD66hzmVisB_LnbpNHbIjCP1wKEXXSo-IPrDtXk7ZWZrEITtItzynbzBKddVLjcNMjoqGz-lhLWVNg8R8rdHEdUzhlkdM-kFfW6Fz57wSyOZnt4KvQ-lZxY62TLQB1gqJ7vhzUPUs1g7C9rsy4gTQPjuRxXnLRvqXSb3arQPkrUl_hLqRuAm8FL-ClYY9G38KVns81QTygKvkDC8E5LQBJfyzkg93AyTXNBcrdCxP8AGgaxLBlGyEX-ya0g3mVX5fz_Uj6gyKjtOS_x1AUHOMkAMRmVEzvixrz-krCMWYOQDmJi19OlNeNjb7-NUVDxPRryr7e6Po2OqSbSjP6kUSw_QbMZf8BCrqV4TUFOwndTmZ68n1TOrCqie-UO71TJnherD_3m60_t3-Li1uy6_WWX66BBEMCCtsZBJWP7OYj7c9CzWGuzUEI7g75i4TZwoM1z0SjuyoPE.ZbRawj1B943OeF6AD_W0Z3pfk13fs14rbj_Ab8n-ZXI ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information ``` against 4.4.4 master. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298844054 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#754][+ack] ipa-server-install with external CA: fix pkinit cert issuance
URL: https://github.com/freeipa/freeipa/pull/754 Title: #754: ipa-server-install with external CA: fix pkinit cert issuance Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#754][comment] ipa-server-install with external CA: fix pkinit cert issuance
URL: https://github.com/freeipa/freeipa/pull/754 Title: #754: ipa-server-install with external CA: fix pkinit cert issuance stlaz commented: """ LGTM, will test it. """ See the full comment at https://github.com/freeipa/freeipa/pull/754#issuecomment-298853939 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ Seems to work fine against current master, but fails with ``` Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR 503 Server Error: Service Unavailable for url: https://vm-096.abc.idm.lab.eng.brq.redhat.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.k6y2jmI8oxRIsieU93_RzG5mZU_u_DPW2XL2jjLukYPZ3oZOkLkufof0fBeH6LAR66aL9m5C9j26GmhlTqNsm2FUQT7Xql975rYR3veooDwLQlPx6k4X1J4CTEeSsf7RVj8KfLE5e4K-nW1hTyepsbm7RDAA_-tbLvWzEqCQ0I3bfpPEDmlML08FA9T_yuPb1FkT0-lSCLV5PHya4tOB3R2q5CHC2b6BpwZQtbVW8eohshEmJMTO2NMAyPlfJscgSHYmhi6oliToV_Dh90Ej1UH_S0UOkHLsvIV5IoW4EGeaGdeHwHo4GsSGHGN3exVxWk9GShhJ_WJ-dlXSGQ_9CA.SfWWO_VrqzKKX3EYSh3E1Q.n4GtjcFZOQSZmAG9MShIQVtfRv_N3jEQMS46rLGUU6xIS-BYBL0Xq1UWP6VFrZW-g96Iqe2PIBhv4m1FsuAzP_gzac1lCr2ghcVuj3rAUg81G5s8vPuYNl_Ur5UVlQ2LtWzGLc26s1z_43MF7qCl8iayvXqnweK8_kj54F1RUJ-Awp0--Z4mnK_FFrPU4BBW2_EjZ1tOR8dV7NnxnN2Gd2tiDFl6Kkbj91rf6Bo2f8telN5RJsX52PsNW2z-l78TOIAKY4qfHhSVz31RO3xgUbyu3yQ79sGIxD66hzmVisB_LnbpNHbIjCP1wKEXXSo-IPrDtXk7ZWZrEITtItzynbzBKddVLjcNMjoqGz-lhLWVNg8R8rdHEdUzhlkdM-kFfW6Fz57wSyOZnt4KvQ-lZxY62TLQB1gqJ7vhzUPUs1g7C9rsy4gTQPjuRxXnLRvqXSb3arQPkrUl_hLqRuAm8FL-ClYY9G38KVns81QTygKvkDC8E5LQBJfyzkg93AyTXNBcrdCxP8AGgaxLBlGyEX-ya0g3mVX5fz_Uj6gyKjtOS_x1AUHOMkAMRmVEzvixrz-krCMWYOQDmJi19OlNeNjb7-NUVDxPRryr7e6Po2OqSbSjP6kUSw_QbMZf8BCrqV4TUFOwndTmZ68n1TOrCqie-UO71TJnherD_3m60_t3-Li1uy6_WWX66BBEMCCtsZBJWP7OYj7c9CzWGuzUEI7g75i4TZwoM1z0SjuyoPE.ZbRawj1B943OeF6AD_W0Z3pfk13fs14rbj_Ab8n-ZXI ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information ``` against 4.4.4 master. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298844054 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ @simo5 will check, sorry for not replying yesterday, I was no more at my machine. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298829885 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ Still fails. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298681896 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][comment] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes stlaz commented: """ Turns out I forgot to reorder the CA installation steps a bit. """ See the full comment at https://github.com/freeipa/freeipa/pull/741#issuecomment-298631763 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][synchronized] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: 6.9 -> 7.4 migration fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/741/head:pr741 git checkout pr741 From 802b2ad635f3e62290c95bb0636c85d90199d84b Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 27 Apr 2017 12:51:30 +0200 Subject: [PATCH 1/2] Refresh Dogtag RestClient.ca_host property Refresh the ca_host property of the Dogtag's RestClient class when it's requested as a context manager. This solves the problem which would occur on DL0 when installing CA which needs to perform a set of steps against itself accessing 8443 port. This port should however only be available locally so trying to connect to remote master would fail. We need to make sure the right CA host is accessed. https://pagure.io/freeipa/issue/6878 --- ipaserver/install/cainstance.py | 5 ++--- ipaserver/plugins/dogtag.py | 30 ++ 2 files changed, 20 insertions(+), 15 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 84d60bf..d72feb8 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -425,6 +425,8 @@ def configure_instance(self, host_name, dm_password, admin_password, self.step("Configure HTTP to proxy connections", self.http_proxy) self.step("restarting certificate server", self.restart_instance) +self.step("updating IPA configuration", update_ipa_conf) +self.step("enabling CA instance", self.__enable_instance) if not promote: self.step("migrating certificate profiles to LDAP", migrate_profiles_to_ldap) @@ -432,9 +434,6 @@ def configure_instance(self, host_name, dm_password, admin_password, import_included_profiles) self.step("adding default CA ACL", ensure_default_caacl) self.step("adding 'ipa' CA entry", ensure_ipa_authority_entry) -self.step("updating IPA configuration", update_ipa_conf) - -self.step("enabling CA instance", self.__enable_instance) self.step("configuring certmonger renewal for lightweight CAs", self.__add_lightweight_ca_tracking_requests) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 3997531..bddaab5 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1202,7 +1202,6 @@ def select_any_master(ldap2, service='CA'): import random from ipaserver.plugins import rabase from ipalib.constants import TYPE_ERROR -from ipalib.util import cachedproperty from ipalib import _ from ipaplatform.paths import paths @@ -1250,34 +1249,41 @@ def __init__(self, api): self.client_keyfile = paths.RA_AGENT_KEY super(RestClient, self).__init__(api) +self._ca_host = None # session cookie self.override_port = None self.cookie = None -@cachedproperty +@property def ca_host(self): """ -:return: host - as str +:returns: FQDN of a host hopefully providing a CA service -Select our CA host. +Select our CA host, cache it for the first time. """ +if self._ca_host is not None: +return self._ca_host + ldap2 = self.api.Backend.ldap2 if host_has_service(api.env.ca_host, ldap2, "CA"): -return api.env.ca_host -if api.env.host != api.env.ca_host: +object.__setattr__(self, '_ca_host', api.env.ca_host) +elif api.env.host != api.env.ca_host: if host_has_service(api.env.host, ldap2, "CA"): -return api.env.host -host = select_any_master(ldap2) -if host: -return host +object.__setattr__(self, '_ca_host', api.env.host) else: -return api.env.ca_host +object.__setattr__(self, '_ca_host', select_any_master(ldap2)) +if self._ca_host is None: +object.__setattr__(self, '_ca_host', api.env.ca_host) +return self._ca_host def __enter__(self): """Log into the REST API""" if self.cookie is not None: return + +# Refresh the ca_host property +object.__setattr__(self, '_ca_host', None) + status, resp_headers, _resp_body = dogtag.https_request( self.ca_host, self.override_port or self.env.ca_agent_port, url='/ca/rest/account/login', From f57ed03e978368
[Freeipa-devel] [freeipa PR#741][comment] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes stlaz commented: """ This was supposed to be fixed by the patch and worked for me, it seems that I may need to investigate it further. """ See the full comment at https://github.com/freeipa/freeipa/pull/741#issuecomment-298610326 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][synchronized] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: 6.9 -> 7.4 migration fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/741/head:pr741 git checkout pr741 From 169dea79ade3283c25821fef3c4a6062ec6aef6d Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 27 Apr 2017 12:51:30 +0200 Subject: [PATCH 1/2] Refresh Dogtag RestClient.ca_host property Refresh the ca_host property of the Dogtag's RestClient class when it's requested as a context manager. This solves the problem which would occur on DL0 when installing CA against an old master which does not have port 8443 accessible. The setup tries to update the cert profiles via this port but fail. This operation should be performed against the local instance anyway. https://pagure.io/freeipa/issue/6878 --- ipaserver/plugins/dogtag.py | 30 ++ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 3997531..bddaab5 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1202,7 +1202,6 @@ def select_any_master(ldap2, service='CA'): import random from ipaserver.plugins import rabase from ipalib.constants import TYPE_ERROR -from ipalib.util import cachedproperty from ipalib import _ from ipaplatform.paths import paths @@ -1250,34 +1249,41 @@ def __init__(self, api): self.client_keyfile = paths.RA_AGENT_KEY super(RestClient, self).__init__(api) +self._ca_host = None # session cookie self.override_port = None self.cookie = None -@cachedproperty +@property def ca_host(self): """ -:return: host - as str +:returns: FQDN of a host hopefully providing a CA service -Select our CA host. +Select our CA host, cache it for the first time. """ +if self._ca_host is not None: +return self._ca_host + ldap2 = self.api.Backend.ldap2 if host_has_service(api.env.ca_host, ldap2, "CA"): -return api.env.ca_host -if api.env.host != api.env.ca_host: +object.__setattr__(self, '_ca_host', api.env.ca_host) +elif api.env.host != api.env.ca_host: if host_has_service(api.env.host, ldap2, "CA"): -return api.env.host -host = select_any_master(ldap2) -if host: -return host +object.__setattr__(self, '_ca_host', api.env.host) else: -return api.env.ca_host +object.__setattr__(self, '_ca_host', select_any_master(ldap2)) +if self._ca_host is None: +object.__setattr__(self, '_ca_host', api.env.ca_host) +return self._ca_host def __enter__(self): """Log into the REST API""" if self.cookie is not None: return + +# Refresh the ca_host property +object.__setattr__(self, '_ca_host', None) + status, resp_headers, _resp_body = dogtag.https_request( self.ca_host, self.override_port or self.env.ca_agent_port, url='/ca/rest/account/login', From 225fc310606916445fcc152ec21f627e67f95494 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 28 Apr 2017 09:31:45 +0200 Subject: [PATCH 2/2] Remove the cachedproperty class The cachedproperty class was used in one special use-case where it only caused issues. Let's get rid of it. https://pagure.io/freeipa/issue/6878 --- ipalib/util.py | 34 -- 1 file changed, 34 deletions(-) diff --git a/ipalib/util.py b/ipalib/util.py index e9d4105..8973a19 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -34,7 +34,6 @@ import encodings import sys import ssl -from weakref import WeakKeyDictionary import netaddr from dns import resolver, rdatatype @@ -492,39 +491,6 @@ def remove_sshpubkey_from_output_list_post(context, entries): delattr(context, 'ipasshpubkey_added') -class cachedproperty(object): -""" -A property-like attribute that caches the return value of a method call. - -When the attribute is first read, the method is called and its return -value is saved and returned. On subsequent reads, the saved value is -returned. - -Typical usage: -class C(object): -@cachedproperty -def attr(self): -return 'value' -""" -__slots__ = ('getter', 'store') - -def __init__(self, getter): -self.getter = getter -self.store = WeakKeyDictionary() - -def __get__(self, obj, cls): -if obj is None: -return None -if obj not in self.store: -self.stor
[Freeipa-devel] [freeipa PR#741][synchronized] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: 6.9 -> 7.4 migration fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/741/head:pr741 git checkout pr741 From 8cfc0770191003f9100e3405230e83a2e7059abf Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 27 Apr 2017 12:51:30 +0200 Subject: [PATCH 1/2] Refresh Dogtag RestClient.ca_host property Refresh the ca_host property of the Dogtag's RestClient class when it's requested as a context manager. This solves the problem which would occur on DL0 when installing CA against an old master which does not have port 8443 accessible. The setup tries to update the cert profiles via this port but fail. This operation should be performed against the local instance anyway. https://pagure.io/freeipa/issue/6878 --- ipaserver/plugins/dogtag.py | 30 ++ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 3997531..3fb93fd 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1202,7 +1202,6 @@ def select_any_master(ldap2, service='CA'): import random from ipaserver.plugins import rabase from ipalib.constants import TYPE_ERROR -from ipalib.util import cachedproperty from ipalib import _ from ipaplatform.paths import paths @@ -1250,34 +1249,41 @@ def __init__(self, api): self.client_keyfile = paths.RA_AGENT_KEY super(RestClient, self).__init__(api) +self._ca_host = None # session cookie self.override_port = None self.cookie = None -@cachedproperty +@property def ca_host(self): """ -:return: host - as str +:returns: FQDN of a host hopefully providing a CA service -Select our CA host. +Select our CA host, cache it for the first time. """ +if self._ca_host is not None: +return self._ca_host + ldap2 = self.api.Backend.ldap2 if host_has_service(api.env.ca_host, ldap2, "CA"): -return api.env.ca_host -if api.env.host != api.env.ca_host: +self._ca_host = api.env.ca_host +elif api.env.host != api.env.ca_host: if host_has_service(api.env.host, ldap2, "CA"): -return api.env.host -host = select_any_master(ldap2) -if host: -return host +self._ca_host = api.env.host else: -return api.env.ca_host +self._ca_host = select_any_master(ldap2) +if self._ca_host is None: +self._ca_host = api.env.ca_host +return self._ca_host def __enter__(self): """Log into the REST API""" if self.cookie is not None: return + +# Refresh the ca_host property +object.__setattr__(self, '_ca_host', None) + status, resp_headers, _resp_body = dogtag.https_request( self.ca_host, self.override_port or self.env.ca_agent_port, url='/ca/rest/account/login', From 1ccd4c16d8f2043cea5bd271ada4492db9fceca2 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 28 Apr 2017 09:31:45 +0200 Subject: [PATCH 2/2] Remove the cachedproperty class The cachedproperty class was used in one special use-case where it only caused issues. Let's get rid of it. https://pagure.io/freeipa/issue/6878 --- ipalib/util.py | 34 -- 1 file changed, 34 deletions(-) diff --git a/ipalib/util.py b/ipalib/util.py index e9d4105..8973a19 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -34,7 +34,6 @@ import encodings import sys import ssl -from weakref import WeakKeyDictionary import netaddr from dns import resolver, rdatatype @@ -492,39 +491,6 @@ def remove_sshpubkey_from_output_list_post(context, entries): delattr(context, 'ipasshpubkey_added') -class cachedproperty(object): -""" -A property-like attribute that caches the return value of a method call. - -When the attribute is first read, the method is called and its return -value is saved and returned. On subsequent reads, the saved value is -returned. - -Typical usage: -class C(object): -@cachedproperty -def attr(self): -return 'value' -""" -__slots__ = ('getter', 'store') - -def __init__(self, getter): -self.getter = getter -self.store = WeakKeyDictionary() - -def __get__(self, obj, cls): -if obj is None: -return None -if obj not in self.store: -self.store[obj] = self.getter(obj) -return self.store[obj] - -def __set__(self, obj,
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys stlaz commented: """ I was expecting some action about my previous comment: > Fails with > 2017-04-12T14:16:14Z DEBUG The ipa-replica-install command failed, > exception: ValueError: Incorrect number of results (0) searching forpublic > key for > host/vm-225.abc.idm.lab.eng.brq.redhat@dom-096.abc.idm.lab.eng.brq.redhat.com > on first replica, every try. I did not see any change in code to fix this but I can try again. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298534740 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#733][synchronized] [4.5] Fix CA/server cert validation in FIPS
URL: https://github.com/freeipa/freeipa/pull/733 Author: stlaz Title: #733: [4.5] Fix CA/server cert validation in FIPS Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/733/head:pr733 git checkout pr733 From 906c2010d594cc7a0e74f7ef80f41ed00581979f Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 26 Apr 2017 08:19:27 +0200 Subject: [PATCH] Fix CA/server cert validation in FIPS In FIPS, the NSS library needs to be passed passwords to perform certificate validation. Should we not have passed it and the NSS guys have not fixed this yet, we would get SEC_ERROR_BAD_SIGNATURE which is completely different error than one would expect but that's just how things are with NSS right now. https://pagure.io/freeipa/issue/6897 --- ipapython/certdb.py | 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 0665f94..ea73ec1 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -77,6 +77,11 @@ def find_cert_from_txt(cert, start=0): return (cert, e) +def get_file_cont(slot, token, filename): +with open(filename) as f: +return f.read() + + class NSSDatabase(object): """A general-purpose wrapper around a NSS cert database @@ -547,12 +552,14 @@ def verify_server_cert_validity(self, nickname, hostname): if nss.nss_is_initialized(): nss.nss_shutdown() nss.nss_init(self.secdir) +nss.set_password_callback(get_file_cont) try: certdb = nss.get_default_certdb() cert = nss.find_cert_from_nickname(nickname) intended_usage = nss.certificateUsageSSLServer try: -approved_usage = cert.verify_now(certdb, True, intended_usage) +approved_usage = cert.verify_now(certdb, True, intended_usage, + self.pwd_file) except NSPRError as e: if e.errno != -8102: raise ValueError(e.strerror) @@ -572,6 +579,7 @@ def verify_ca_cert_validity(self, nickname): if nss.nss_is_initialized(): nss.nss_shutdown() nss.nss_init(self.secdir) +nss.set_password_callback(get_file_cont) try: certdb = nss.get_default_certdb() cert = nss.find_cert_from_nickname(nickname) @@ -586,7 +594,8 @@ def verify_ca_cert_validity(self, nickname): raise ValueError("not a CA certificate") intended_usage = nss.certificateUsageSSLCA try: -approved_usage = cert.verify_now(certdb, True, intended_usage) +approved_usage = cert.verify_now(certdb, True, intended_usage, + self.pwd_file) except NSPRError as e: if e.errno != -8102:# SEC_ERROR_INADEQUATE_KEY_USAGE raise ValueError(e.strerror) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][comment] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes stlaz commented: """ For the record - the tests are passing on my machine, etwas stimmt hier nicht. """ See the full comment at https://github.com/freeipa/freeipa/pull/741#issuecomment-297969953 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#747][+ack] vault: piped input for ipa vault-add fails
URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#747][comment] vault: piped input for ipa vault-add fails
URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails stlaz commented: """ Thank you for the brief action taken. Re-adding the ACK label. """ See the full comment at https://github.com/freeipa/freeipa/pull/747#issuecomment-297935390 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#747][comment] vault: piped input for ipa vault-add fails
URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails stlaz commented: """ @Akasurde: Don't add ACK label when the PR is not OK! @flo-renaud: You will need to specify a ticket for this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/747#issuecomment-297933288 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#747][-ack] vault: piped input for ipa vault-add fails
URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][synchronized] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: 6.9 -> 7.4 migration fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/741/head:pr741 git checkout pr741 From fddf366557e23806a5e05ba06c8471828c8daa7b Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 27 Apr 2017 12:51:30 +0200 Subject: [PATCH 1/2] Refresh Dogtag RestClient.ca_host property Refresh the ca_host property of the Dogtag's RestClient class when it's requested as a context manager. This solves the problem which would occur on DL0 when installing CA against an old master which does not have port 8443 accessible. The setup tries to update the cert profiles via this port but fail. This operation should be performed against the local instance anyway. https://pagure.io/freeipa/issue/6878 --- ipaserver/plugins/dogtag.py | 34 ++ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 3997531..2ac4674 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1202,7 +1202,6 @@ def select_any_master(ldap2, service='CA'): import random from ipaserver.plugins import rabase from ipalib.constants import TYPE_ERROR -from ipalib.util import cachedproperty from ipalib import _ from ipaplatform.paths import paths @@ -1250,34 +1249,45 @@ def __init__(self, api): self.client_keyfile = paths.RA_AGENT_KEY super(RestClient, self).__init__(api) +self._ca_host = None # session cookie self.override_port = None self.cookie = None -@cachedproperty +@property def ca_host(self): """ -:return: host - as str +:returns: FQDN of a host hopefully providing a CA service -Select our CA host. +Select our CA host, cache it for the first time. """ +if self._ca_host is not None: +return self._ca_host + ldap2 = self.api.Backend.ldap2 if host_has_service(api.env.ca_host, ldap2, "CA"): -return api.env.ca_host -if api.env.host != api.env.ca_host: +self._ca_host = api.env.ca_host +elif api.env.host != api.env.ca_host: if host_has_service(api.env.host, ldap2, "CA"): -return api.env.host -host = select_any_master(ldap2) -if host: -return host +self._ca_host = api.env.host else: -return api.env.ca_host +self._ca_host = select_any_master(ldap2) +if self._ca_host is None: +self._ca_host = api.env.ca_host +return self._ca_host + +@ca_host.setter +def ca_host(self, value): +self._ca_host = value def __enter__(self): """Log into the REST API""" if self.cookie is not None: return + +# Refresh the ca_host property +self._ca_host = None + status, resp_headers, _resp_body = dogtag.https_request( self.ca_host, self.override_port or self.env.ca_agent_port, url='/ca/rest/account/login', From 6d7589e8654d11a7d73256d862ecad8168a5e4da Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 28 Apr 2017 09:31:45 +0200 Subject: [PATCH 2/2] Remove the cachedproperty class The cachedproperty class was used in one special use-case where it only caused issues. Let's get rid of it. https://pagure.io/freeipa/issue/6878 --- ipalib/util.py | 34 -- 1 file changed, 34 deletions(-) diff --git a/ipalib/util.py b/ipalib/util.py index e9d4105..8973a19 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -34,7 +34,6 @@ import encodings import sys import ssl -from weakref import WeakKeyDictionary import netaddr from dns import resolver, rdatatype @@ -492,39 +491,6 @@ def remove_sshpubkey_from_output_list_post(context, entries): delattr(context, 'ipasshpubkey_added') -class cachedproperty(object): -""" -A property-like attribute that caches the return value of a method call. - -When the attribute is first read, the method is called and its return -value is saved and returned. On subsequent reads, the saved value is -returned. - -Typical usage: -class C(object): -@cachedproperty -def attr(self): -return 'value' -""" -__slots__ = ('getter', 'store') - -def __init__(self, getter): -self.getter = getter -self.store = WeakKeyDictionary() - -def __get__(self, obj, cls): -if obj is None: -return None -if obj not in self.store: -self.store[obj] = self.getter(
[Freeipa-devel] [freeipa PR#740][+ack] [4.5]Hide PKI Client database password in log file
URL: https://github.com/freeipa/freeipa/pull/740 Title: #740: [4.5]Hide PKI Client database password in log file Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][synchronized] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: 6.9 -> 7.4 migration fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/741/head:pr741 git checkout pr741 From 84f049e2dc5e617b4f49c0e079640bd2ca76c288 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 27 Apr 2017 12:38:19 +0200 Subject: [PATCH 1/2] Allow rewriting of cached properties Cached property should not be treated anyway special from a normal property. If we need to rewrite/remove it, we should be able to do just so. https://pagure.io/freeipa/issue/6878 --- ipalib/util.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ipalib/util.py b/ipalib/util.py index e9d4105..b9206eb 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -520,10 +520,8 @@ def __get__(self, obj, cls): return self.store[obj] def __set__(self, obj, value): -raise AttributeError("can't set attribute") +self.store[obj] = value -def __delete__(self, obj): -raise AttributeError("can't delete attribute") # regexp matching signed floating point number (group 1) followed by # optional whitespace followed by time unit, e.g. day, hour (group 7) From ff579bb9f613d375faae62e2508a876052fa61fb Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 27 Apr 2017 12:51:30 +0200 Subject: [PATCH 2/2] Refresh Dogtag RestClient.ca_host property Refresh the ca_host property of the Dogtag's RestClient class when it's requested as a context manager. This solves the problem which would occur on DL0 when installing CA against an old master which does not have port 8443 accessible. The setup tries to update the cert profiles via this port but fail. This operation should be performed against the local instance anyway. https://pagure.io/freeipa/issue/6878 --- ipaserver/plugins/dogtag.py | 4 1 file changed, 4 insertions(+) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 3997531..48dc6b3 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1278,6 +1278,10 @@ def __enter__(self): """Log into the REST API""" if self.cookie is not None: return + +if not host_has_service(api.env.ca_host, self.api.Backend.ldap2, "CA"): +self.ca_host = api.env.ca_host + status, resp_headers, _resp_body = dogtag.https_request( self.ca_host, self.override_port or self.env.ca_agent_port, url='/ca/rest/account/login', -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][opened] Migration
URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: Migration Action: opened PR body: """ **Allow rewriting of cached properties** Cached property should not be treated anyway special from a normal property. If we need to rewrite/remove it, we should be able to do just so. **Refresh Dogtag RestClient.ca_host property** Refresh the ca_host property of the Dogtag's RestClient class when it's requested as a context manager. This solves the problem which would occur on DL0 when installing CA against an old master which does not have port 8443 accessible. The setup tries to update the cert profiles via this port but fail. This operation should be performed against the local instance anyway. https://pagure.io/freeipa/issue/6878 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/741/head:pr741 git checkout pr741 From 35ec2ae8ee9a06ced875372cdf6985fed3cf254a Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 27 Apr 2017 12:38:19 +0200 Subject: [PATCH 1/2] Allow rewriting of cached properties Cached property should not be treated anyway special from a normal property. If we need to rewrite/remove it, we should be able to do just so. https://pagure.io/freeipa/issue/6878 --- ipalib/util.py | 4 +--- ipaserver/plugins/dogtag.py | 1 + 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/ipalib/util.py b/ipalib/util.py index e9d4105..b9206eb 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -520,10 +520,8 @@ def __get__(self, obj, cls): return self.store[obj] def __set__(self, obj, value): -raise AttributeError("can't set attribute") +self.store[obj] = value -def __delete__(self, obj): -raise AttributeError("can't delete attribute") # regexp matching signed floating point number (group 1) followed by # optional whitespace followed by time unit, e.g. day, hour (group 7) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 3997531..9e4032c 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1248,6 +1248,7 @@ def __init__(self, api): else: self.client_certfile = paths.RA_AGENT_PEM self.client_keyfile = paths.RA_AGENT_KEY + super(RestClient, self).__init__(api) # session cookie From b3a0361bdaa08a952e810fd69406b3833594fd21 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 27 Apr 2017 12:51:30 +0200 Subject: [PATCH 2/2] Refresh Dogtag RestClient.ca_host property Refresh the ca_host property of the Dogtag's RestClient class when it's requested as a context manager. This solves the problem which would occur on DL0 when installing CA against an old master which does not have port 8443 accessible. The setup tries to update the cert profiles via this port but fail. This operation should be performed against the local instance anyway. https://pagure.io/freeipa/issue/6878 --- ipaserver/plugins/dogtag.py | 4 1 file changed, 4 insertions(+) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 9e4032c..92551f6 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1279,6 +1279,10 @@ def __enter__(self): """Log into the REST API""" if self.cookie is not None: return + +if not host_has_service(api.env.ca_host, self.api.Backend.ldap2, "CA"): +self.ca_host = api.env.ca_host + status, resp_headers, _resp_body = dogtag.https_request( self.ca_host, self.override_port or self.env.ca_agent_port, url='/ca/rest/account/login', -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][edited] Migration
URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: Migration Action: edited Changed field: title Original value: """ Migration """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#733][comment] [4.5] Fix CA/server cert validation in FIPS
URL: https://github.com/freeipa/freeipa/pull/733 Title: #733: [4.5] Fix CA/server cert validation in FIPS stlaz commented: """ Made a quickfix according to @tiran, the ACK can stay. Thanks, I was being paranoid. """ See the full comment at https://github.com/freeipa/freeipa/pull/733#issuecomment-297678732 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#733][synchronized] [4.5] Fix CA/server cert validation in FIPS
URL: https://github.com/freeipa/freeipa/pull/733 Author: stlaz Title: #733: [4.5] Fix CA/server cert validation in FIPS Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/733/head:pr733 git checkout pr733 From d1d8fdf8e3119067b34164e63e893846803c9fff Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 26 Apr 2017 08:19:27 +0200 Subject: [PATCH] Fix CA/server cert validation in FIPS In FIPS, the NSS library needs to be passed passwords to perform certificate validation. Should we not have passed it and the NSS guys have not fixed this yet, we would get SEC_ERROR_BAD_SIGNATURE which is completely different error than one would expect but that's just how things are with NSS right now. https://pagure.io/freeipa/issue/6897 --- ipapython/certdb.py | 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index f1410e5..2f45261 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -77,6 +77,11 @@ def find_cert_from_txt(cert, start=0): return (cert, e) +def get_file_cont(slot, token, filename): +with open(filename) as f: +return f.read() + + class NSSDatabase(object): """A general-purpose wrapper around a NSS cert database @@ -547,12 +552,14 @@ def verify_server_cert_validity(self, nickname, hostname): if nss.nss_is_initialized(): nss.nss_shutdown() nss.nss_init(self.secdir) +nss.set_password_callback(get_file_cont) try: certdb = nss.get_default_certdb() cert = nss.find_cert_from_nickname(nickname) intended_usage = nss.certificateUsageSSLServer try: -approved_usage = cert.verify_now(certdb, True, intended_usage) +approved_usage = cert.verify_now(certdb, True, intended_usage, + self.pwd_file) except NSPRError as e: if e.errno != -8102: raise ValueError(e.strerror) @@ -572,6 +579,7 @@ def verify_ca_cert_validity(self, nickname): if nss.nss_is_initialized(): nss.nss_shutdown() nss.nss_init(self.secdir) +nss.set_password_callback(get_file_cont) try: certdb = nss.get_default_certdb() cert = nss.find_cert_from_nickname(nickname) @@ -586,7 +594,8 @@ def verify_ca_cert_validity(self, nickname): raise ValueError("not a CA certificate") intended_usage = nss.certificateUsageSSLCA try: -approved_usage = cert.verify_now(certdb, True, intended_usage) +approved_usage = cert.verify_now(certdb, True, intended_usage, + self.pwd_file) except NSPRError as e: if e.errno != -8102:# SEC_ERROR_INADEQUATE_KEY_USAGE raise ValueError(e.strerror) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#739][+ack] [4.5] spec file: bump krb5 Requires for certauth fixes
URL: https://github.com/freeipa/freeipa/pull/739 Title: #739: [4.5] spec file: bump krb5 Requires for certauth fixes Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#733][opened] [4.5] Fix CA/server cert validation in FIPS
URL: https://github.com/freeipa/freeipa/pull/733 Author: stlaz Title: #733: [4.5] Fix CA/server cert validation in FIPS Action: opened PR body: """ In FIPS, the NSS library needs to be passed passwords to perform certificate validation. Should we not have passed it and the NSS guys have not fixed this yet, we would get SEC_ERROR_BAD_SIGNATURE which is completely different error than one would expect but that's just how things are with NSS right now. https://pagure.io/freeipa/issue/6897 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/733/head:pr733 git checkout pr733 From 3490705b960a601ef76efcae7af9b7bd0d32e237 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 26 Apr 2017 08:19:27 +0200 Subject: [PATCH] Fix CA/server cert validation in FIPS In FIPS, the NSS library needs to be passed passwords to perform certificate validation. Should we not have passed it and the NSS guys have not fixed this yet, we would get SEC_ERROR_BAD_SIGNATURE which is completely different error than one would expect but that's just how things are with NSS right now. https://pagure.io/freeipa/issue/6897 --- ipapython/certdb.py | 14 -- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index f1410e5..16e2514 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -77,6 +77,12 @@ def find_cert_from_txt(cert, start=0): return (cert, e) +def get_file_cont(slot, token, filename): +with open(filename) as f: +cont = f.read() +return cont + + class NSSDatabase(object): """A general-purpose wrapper around a NSS cert database @@ -547,12 +553,14 @@ def verify_server_cert_validity(self, nickname, hostname): if nss.nss_is_initialized(): nss.nss_shutdown() nss.nss_init(self.secdir) +nss.set_password_callback(get_file_cont) try: certdb = nss.get_default_certdb() cert = nss.find_cert_from_nickname(nickname) intended_usage = nss.certificateUsageSSLServer try: -approved_usage = cert.verify_now(certdb, True, intended_usage) +approved_usage = cert.verify_now(certdb, True, intended_usage, + self.pwd_file) except NSPRError as e: if e.errno != -8102: raise ValueError(e.strerror) @@ -572,6 +580,7 @@ def verify_ca_cert_validity(self, nickname): if nss.nss_is_initialized(): nss.nss_shutdown() nss.nss_init(self.secdir) +nss.set_password_callback(get_file_cont) try: certdb = nss.get_default_certdb() cert = nss.find_cert_from_nickname(nickname) @@ -586,7 +595,8 @@ def verify_ca_cert_validity(self, nickname): raise ValueError("not a CA certificate") intended_usage = nss.certificateUsageSSLCA try: -approved_usage = cert.verify_now(certdb, True, intended_usage) +approved_usage = cert.verify_now(certdb, True, intended_usage, + self.pwd_file) except NSPRError as e: if e.errno != -8102:# SEC_ERROR_INADEQUATE_KEY_USAGE raise ValueError(e.strerror) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#714][comment] fix minor typo in ipa-adtrust-install.1
URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 stlaz commented: """ Thanks, now this is ready to be pushed :) """ See the full comment at https://github.com/freeipa/freeipa/pull/714#issuecomment-296920348 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#714][+ack] fix minor typo in ipa-adtrust-install.1
URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#714][comment] fix minor typo in ipa-adtrust-install.1
URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 stlaz commented: """ Ah, I did not notice you made a second commit for this. Please, squash them. """ See the full comment at https://github.com/freeipa/freeipa/pull/714#issuecomment-296573574 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#714][-ack] fix minor typo in ipa-adtrust-install.1
URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#716][comment] Fix minor typos
URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos stlaz commented: """ Please, see what `git rebase -i master` will do for you, along with `git commit --amend --author="Author Name <em...@address.com>"`. """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-296531382 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#716][comment] Fix minor typos
URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos stlaz commented: """ Please, see what `git rebase -i master` will do for you, along with `git commit --amend --author="Author Name <em...@address.com>"`. **edit:** I see a lot of confusion in your commits in this PR, some commits appear multiple times, there are revert and merge commits and that makes this PR simply unmergable. Please not that you don't have to make a new PR, but you can make a new local branch with the changes you want and simply do `git push newbranch:fix-minor-typos` """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-296531382 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#716][comment] Fix minor typos
URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos stlaz commented: """ Please, see what `git rebase -i master` will do for you. """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-296531382 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#716][comment] Fix minor typos
URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos stlaz commented: """ Please, see what `git rebase -i master` will do for you. """ See the full comment at https://github.com/freeipa/freeipa/pull/716#issuecomment-296531382 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#714][comment] fix minor typo in ipa-adtrust-install.1
URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 stlaz commented: """ Thanks, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/714#issuecomment-296531049 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#714][+ack] fix minor typo in ipa-adtrust-install.1
URL: https://github.com/freeipa/freeipa/pull/714 Title: #714: fix minor typo in ipa-adtrust-install.1 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#711][synchronized] Compat-plugin related fixes
URL: https://github.com/freeipa/freeipa/pull/711 Author: stlaz Title: #711: Compat-plugin related fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/711/head:pr711 git checkout pr711 From a9630776df8393cb751d2e515a1773ae91584427 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 21 Apr 2017 09:32:34 +0200 Subject: [PATCH 1/4] compat-manage: behave the same for all users Due to LDAP connection refactoring, compat-manage would have behaved differently for root and for other users even though it requires the directory manager password. This is caused by it trying to do external bind when it does not have the DIRMAN password which was previously not supplied. https://pagure.io/freeipa/issue/6821 --- install/tools/ipa-compat-manage | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage index a29a92f..6dd259d 100755 --- a/install/tools/ipa-compat-manage +++ b/install/tools/ipa-compat-manage @@ -105,7 +105,7 @@ def main(): debug=options.debug, confdir=paths.ETC_IPA) api.finalize() -api.Backend.ldap2.connect() +api.Backend.ldap2.connect(bind_pw=dirman_password) if args[0] == "status": entry = None From 780886737edf4cbf3cb098271544c5492a50c77d Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 13 Apr 2017 09:15:47 +0200 Subject: [PATCH 2/4] Move the compat plugin setup at the end of install The compat plugin was causing deadlocks with the topology plugin. Move its setup at the end of the installation and remove the cn=topology,cn=ipa,cn=etc subtree from its scope. https://pagure.io/freeipa/issue/6821 --- install/share/Makefile.am | 1 - install/share/schema_compat.uldif | 128 -- install/updates/10-schema_compat.update | 93 - install/updates/80-schema_compat.update | 222 install/updates/Makefile.am | 2 +- ipaplatform/base/paths.py | 3 +- ipaserver/install/dsinstance.py | 9 -- 7 files changed, 225 insertions(+), 233 deletions(-) delete mode 100644 install/share/schema_compat.uldif delete mode 100644 install/updates/10-schema_compat.update create mode 100644 install/updates/80-schema_compat.update diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 3a34f6e..e7fac0c 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -65,7 +65,6 @@ dist_app_DATA =\ opendnssec_conf.template \ opendnssec_kasp.template \ unique-attributes.ldif \ - schema_compat.uldif \ ldapi.ldif \ wsgi.py\ repoint-managed-entries.ldif \ diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif deleted file mode 100644 index 66f8ea1..000 --- a/install/share/schema_compat.uldif +++ /dev/null @@ -1,128 +0,0 @@ -# -# Enable the Schema Compatibility plugin provided by slapi-nis. -# -# http://slapi-nis.fedorahosted.org/ -# -dn: cn=Schema Compatibility, cn=plugins, cn=config -default:objectclass: top -default:objectclass: nsSlapdPlugin -default:objectclass: extensibleObject -default:cn: Schema Compatibility -default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/schemacompat-plugin.so -default:nsslapd-plugininitfunc: schema_compat_plugin_init -default:nsslapd-plugintype: object -default:nsslapd-pluginenabled: on -default:nsslapd-pluginid: schema-compat-plugin -# We need to run schema-compat pre-bind callback before -# other IPA pre-bind callbacks to make sure bind DN is -# rewritten to the original entry if needed -default:nsslapd-pluginprecedence: 40 -default:nsslapd-pluginversion: 0.8 -default:nsslapd-pluginbetxn: on -default:nsslapd-pluginvendor: redhat.com -default:nsslapd-plugindescription: Schema Compatibility Plugin - -dn: cn=users, cn=Schema Compatibility, cn=plugins, cn=config -default:objectClass: top -default:objectClass: extensibleObject -default:cn: users -default:schema-compat-container-group: cn=compat, $SUFFIX -default:schema-compat-container-rdn: cn=users -default:schema-compat-search-base: cn=users, cn=accounts, $SUFFIX -default:schema-compat-search-filter: objectclass=posixAccount -default:schema-compat-entry-rdn: uid=%{uid} -default:schema-compat-entry-attribute: objectclass=posixAccount -default:schema-compat-entry-attribute: gecos=%{cn} -default:schema-compat-entry-attribute: cn=%{cn} -default:schema-compat-entry-attribute: uidNumber=%{uidNumber} -default:schema-compat-entry-attribute: gidNumber=%{gidNumber} -default:schema-compat-entry-attribute: loginShell=%{loginShell} -default:schema-compat-entry-attribute: homeDirectory=%{homeDirectory} -default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget&quo
[Freeipa-devel] [freeipa PR#711][comment] Compat-plugin related fixes
URL: https://github.com/freeipa/freeipa/pull/711 Title: #711: Compat-plugin related fixes stlaz commented: """ The latest patchset fixes also problems with ipa-compat-manage which would behave differently for root/other-users (check the commit message), and updates the link to slapi-nis project in the compat plugin update file to the correct one. """ See the full comment at https://github.com/freeipa/freeipa/pull/711#issuecomment-296116091 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#711][edited] Compat-plugin related fixes
URL: https://github.com/freeipa/freeipa/pull/711 Author: stlaz Title: #711: Compat-plugin related fixes Action: edited Changed field: title Original value: """ Move the compat plugin setup at the end of install """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#711][synchronized] Move the compat plugin setup at the end of install
URL: https://github.com/freeipa/freeipa/pull/711 Author: stlaz Title: #711: Move the compat plugin setup at the end of install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/711/head:pr711 git checkout pr711 From a9630776df8393cb751d2e515a1773ae91584427 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 21 Apr 2017 09:32:34 +0200 Subject: [PATCH 1/4] compat-manage: behave the same for all users Due to LDAP connection refactoring, compat-manage would have behaved differently for root and for other users even though it requires the directory manager password. This is caused by it trying to do external bind when it does not have the DIRMAN password which was previously not supplied. https://pagure.io/freeipa/issue/6821 --- install/tools/ipa-compat-manage | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage index a29a92f..6dd259d 100755 --- a/install/tools/ipa-compat-manage +++ b/install/tools/ipa-compat-manage @@ -105,7 +105,7 @@ def main(): debug=options.debug, confdir=paths.ETC_IPA) api.finalize() -api.Backend.ldap2.connect() +api.Backend.ldap2.connect(bind_pw=dirman_password) if args[0] == "status": entry = None From 7f859cb40ec5f23904f2178122bb24acd5d8b953 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 13 Apr 2017 09:15:47 +0200 Subject: [PATCH 2/4] Move the compat plugin setup at the end of install The compat plugin was causing deadlocks with the topology plugin. Move its setup at the end of the installation and remove the cn=topology,cn=ipa,cn=etc subtree from its scope. https://pagure.io/freeipa/issue/6821 --- install/share/Makefile.am | 1 - install/share/schema_compat.uldif | 128 -- install/updates/10-schema_compat.update | 93 - install/updates/80-schema_compat.update | 222 install/updates/Makefile.am | 2 +- ipaplatform/base/paths.py | 3 +- ipaserver/install/dsinstance.py | 8 -- 7 files changed, 225 insertions(+), 232 deletions(-) delete mode 100644 install/share/schema_compat.uldif delete mode 100644 install/updates/10-schema_compat.update create mode 100644 install/updates/80-schema_compat.update diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 3a34f6e..e7fac0c 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -65,7 +65,6 @@ dist_app_DATA =\ opendnssec_conf.template \ opendnssec_kasp.template \ unique-attributes.ldif \ - schema_compat.uldif \ ldapi.ldif \ wsgi.py\ repoint-managed-entries.ldif \ diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif deleted file mode 100644 index 66f8ea1..000 --- a/install/share/schema_compat.uldif +++ /dev/null @@ -1,128 +0,0 @@ -# -# Enable the Schema Compatibility plugin provided by slapi-nis. -# -# http://slapi-nis.fedorahosted.org/ -# -dn: cn=Schema Compatibility, cn=plugins, cn=config -default:objectclass: top -default:objectclass: nsSlapdPlugin -default:objectclass: extensibleObject -default:cn: Schema Compatibility -default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/schemacompat-plugin.so -default:nsslapd-plugininitfunc: schema_compat_plugin_init -default:nsslapd-plugintype: object -default:nsslapd-pluginenabled: on -default:nsslapd-pluginid: schema-compat-plugin -# We need to run schema-compat pre-bind callback before -# other IPA pre-bind callbacks to make sure bind DN is -# rewritten to the original entry if needed -default:nsslapd-pluginprecedence: 40 -default:nsslapd-pluginversion: 0.8 -default:nsslapd-pluginbetxn: on -default:nsslapd-pluginvendor: redhat.com -default:nsslapd-plugindescription: Schema Compatibility Plugin - -dn: cn=users, cn=Schema Compatibility, cn=plugins, cn=config -default:objectClass: top -default:objectClass: extensibleObject -default:cn: users -default:schema-compat-container-group: cn=compat, $SUFFIX -default:schema-compat-container-rdn: cn=users -default:schema-compat-search-base: cn=users, cn=accounts, $SUFFIX -default:schema-compat-search-filter: objectclass=posixAccount -default:schema-compat-entry-rdn: uid=%{uid} -default:schema-compat-entry-attribute: objectclass=posixAccount -default:schema-compat-entry-attribute: gecos=%{cn} -default:schema-compat-entry-attribute: cn=%{cn} -default:schema-compat-entry-attribute: uidNumber=%{uidNumber} -default:schema-compat-entry-attribute: gidNumber=%{gidNumber} -default:schema-compat-entry-attribute: loginShell=%{loginShell} -default:schema-compat-entry-attribute: homeDirectory=%{homeDirectory} -default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclas
[Freeipa-devel] [freeipa PR#722][opened] Fix server upgrade
URL: https://github.com/freeipa/freeipa/pull/722 Author: stlaz Title: #722: Fix server upgrade Action: opened PR body: """ OpenSSL can't cope with empty files, add a newline after each password https://pagure.io/freeipa/issue/6878 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/722/head:pr722 git checkout pr722 From 7945c8a9a021978c5dc82bbfe8b3b52410be5d53 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 20 Apr 2017 10:09:05 +0200 Subject: [PATCH] Fix CAInstance.import_ra_cert for empty passwords OpenSSL can't cope with empty files, add a newline after each password https://pagure.io/freeipa/issue/6878 --- ipaserver/install/cainstance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index b6b915c..84d60bf 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -690,7 +690,7 @@ def import_ra_cert(self, rafile, password=''): Used when setting up replication """ -with ipautil.write_tmp_file(password) as f: +with ipautil.write_tmp_file(password + '\n') as f: pwdarg = 'file:{file}'.format(file=f.name) # get the private key from the file ipautil.run([paths.OPENSSL, -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#715][closed] use correct option name
URL: https://github.com/freeipa/freeipa/pull/715 Author: realsobek Title: #715: use correct option name Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/715/head:pr715 git checkout pr715 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#715][+rejected] use correct option name
URL: https://github.com/freeipa/freeipa/pull/715 Title: #715: use correct option name Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#715][comment] use correct option name
URL: https://github.com/freeipa/freeipa/pull/715 Title: #715: use correct option name stlaz commented: """ Since the changes here are part of https://github.com/freeipa/freeipa/pull/716, I am going to close this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/715#issuecomment-295607975 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#718][+ack] configure: fix AC_CHECK_LIB usage
URL: https://github.com/freeipa/freeipa/pull/718 Title: #718: configure: fix AC_CHECK_LIB usage Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#718][comment] configure: fix AC_CHECK_LIB usage
URL: https://github.com/freeipa/freeipa/pull/718 Title: #718: configure: fix AC_CHECK_LIB usage stlaz commented: """ This patch seems to have fixed the problem, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/718#issuecomment-295276975 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#721][synchronized] Fix RA cert import during DL0 replication
URL: https://github.com/freeipa/freeipa/pull/721 Author: stlaz Title: #721: Fix RA cert import during DL0 replication Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/721/head:pr721 git checkout pr721 From 2d567c37257e3557088ae65d8f830cd7a79d69eb Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 19 Apr 2017 11:42:40 +0200 Subject: [PATCH] Fix RA cert import during DL0 replication Previous versions of FreeIPA add password to the ra.p12 file contained in the password-protected tarball. This was forgotten about in the recent changes and fixed now. https://pagure.io/freeipa/issue/6878 --- ipaserver/install/cainstance.py | 43 +++- ipaserver/install/ipa_replica_prepare.py | 17 +++-- 2 files changed, 35 insertions(+), 25 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1c8bb27..a201649 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -338,6 +338,7 @@ def configure_instance(self, host_name, dm_password, admin_password, self.clone = True self.master_host = master_host self.master_replication_port = master_replication_port +self.ra_p12 = ra_p12 self.subject_base = \ subject_base or installutils.default_subject_base(self.realm) @@ -400,7 +401,7 @@ def configure_instance(self, host_name, dm_password, admin_password, self.step("Importing RA key", self.__import_ra_key) else: self.step("importing RA certificate from PKCS #12 file", - lambda: self.import_ra_cert(ra_p12)) + self.__import_ra_cert) if not ra_only: self.step("setting up signing cert profile", self.__setup_sign_profile) @@ -676,28 +677,36 @@ def enable_pkix(self): 'NSS_ENABLE_PKIX_VERIFY', '1', quotes=False, separator='=') -def import_ra_cert(self, rafile): +def __import_ra_cert(self): +""" +Helper method for IPA domain level 0 replica install +""" +self.import_ra_cert(self.ra_p12, self.dm_password) + +def import_ra_cert(self, rafile, password=''): """ Cloned RAs will use the same RA agent cert as the master so we need to import from a PKCS#12 file. Used when setting up replication """ -# get the private key from the file -ipautil.run([paths.OPENSSL, - "pkcs12", - "-in", rafile, - "-nocerts", "-nodes", - "-out", paths.RA_AGENT_KEY, - "-passin", "pass:"]) - -# get the certificate from the pkcs12 file -ipautil.run([paths.OPENSSL, - "pkcs12", - "-in", rafile, - "-clcerts", "-nokeys", - "-out", paths.RA_AGENT_PEM, - "-passin", "pass:"]) +with ipautil.write_tmp_file(password) as f: +pwdarg = 'file:{file}'.format(file=f.name) +# get the private key from the file +ipautil.run([paths.OPENSSL, + "pkcs12", + "-in", rafile, + "-nocerts", "-nodes", + "-out", paths.RA_AGENT_KEY, + "-passin", pwdarg]) + +# get the certificate from the pkcs12 file +ipautil.run([paths.OPENSSL, + "pkcs12", + "-in", rafile, + "-clcerts", "-nokeys", + "-out", paths.RA_AGENT_PEM, + "-passin", pwdarg]) self.__set_ra_cert_perms() self.configure_agent_renewal() diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 95c3818..d4456dd 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -571,14 +571,15 @@ def export_certdb(self, fname, passwd_fname): def export_ra_pkcs12(self): if (os.path.exists(paths.RA_AGENT_PEM) and os.path.exists(paths.RA_AGENT_KEY)): -ipautil.run([ -paths.OPENSSL, -"pkcs12", "-export", -"-inkey", paths.RA_AGENT_KE
[Freeipa-devel] [freeipa PR#721][comment] Fix RA cert import during DL0 replication
URL: https://github.com/freeipa/freeipa/pull/721 Title: #721: Fix RA cert import during DL0 replication stlaz commented: """ Silly me """ See the full comment at https://github.com/freeipa/freeipa/pull/721#issuecomment-295238665 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#719][synchronized] External CA fixes
URL: https://github.com/freeipa/freeipa/pull/719 Author: stlaz Title: #719: External CA fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/719/head:pr719 git checkout pr719 From 9cb7811d9b3b5c140dbf72edf9e4b00c412c3cf9 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 18 Apr 2017 17:14:27 +0200 Subject: [PATCH 1/2] server-install: No double Kerberos install When we're installing server with an external CA, the installation would have failed in the second step where it's passed the required CA cert file because it would have tried to perform the Kerberos installation for the second time. https://pagure.io/freeipa/issue/6757 --- ipaserver/install/server/install.py | 11 ++- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index b899b4b..b360e05 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -762,11 +762,12 @@ def install(installer): options.subject_base, options.ca_subject, 1101, 1100, None) krb = krbinstance.KrbInstance(fstore) -krb.create_instance(realm_name, host_name, domain_name, -dm_password, master_password, -setup_pkinit=not options.no_pkinit, -pkcs12_info=pkinit_pkcs12_info, -subject_base=options.subject_base) +if not options.external_cert_files: +krb.create_instance(realm_name, host_name, domain_name, +dm_password, master_password, +setup_pkinit=not options.no_pkinit, +pkcs12_info=pkinit_pkcs12_info, +subject_base=options.subject_base) if setup_ca: if not options.external_cert_files and options.external_ca: From 27a2c13c3748e334aa86169c33f042075294d903 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 18 Apr 2017 17:17:48 +0200 Subject: [PATCH 2/2] ext. CA: correctly write the cert chain The cert file would have been rewritten all over again with any of the cert in the CA cert chain without this patch. https://pagure.io/freeipa/issue/6872 --- ipaserver/install/cainstance.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1c8bb27..d452757 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -786,9 +786,10 @@ def __export_ca_chain(self): certlist = x509.pkcs7_to_pems(data, x509.DER) # We have all the certificates in certlist, write them to a PEM file -for cert in certlist: -with open(paths.IPA_CA_CRT, 'w') as ipaca_pem: +with open(paths.IPA_CA_CRT, 'w') as ipaca_pem: +for cert in certlist: ipaca_pem.write(cert) +ipaca_pem.write('\n') def __request_ra_certificate(self): # create a temp file storing the pwd -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#677][comment] cert: defer cert-find result post-processing
URL: https://github.com/freeipa/freeipa/pull/677 Title: #677: cert: defer cert-find result post-processing stlaz commented: """ We may need these changes in 4.5 and 4.4, too since `cert-find` is rather broken there, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/677#issuecomment-295212663 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#677][+ack] cert: defer cert-find result post-processing
URL: https://github.com/freeipa/freeipa/pull/677 Title: #677: cert: defer cert-find result post-processing Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#721][opened] Fix RA cert import during DL0 replication
URL: https://github.com/freeipa/freeipa/pull/721 Author: stlaz Title: #721: Fix RA cert import during DL0 replication Action: opened PR body: """ Previous versions of FreeIPA add password to the ra.p12 file contained in the password-protected tarball. This was forgotten about in the recent changes and fixed now. https://pagure.io/freeipa/issue/6878 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/721/head:pr721 git checkout pr721 From 1c7109c885457b20d7e1104c1e327537e9965b6f Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 19 Apr 2017 11:42:40 +0200 Subject: [PATCH] Fix RA cert import during DL0 replication Previous versions of FreeIPA add password to the ra.p12 file contained in the password-protected tarball. This was forgotten about in the recent changes and fixed now. https://pagure.io/freeipa/issue/6878 --- ipaserver/install/cainstance.py | 15 +++ 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1c8bb27..faffd2e 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -400,7 +400,8 @@ def configure_instance(self, host_name, dm_password, admin_password, self.step("Importing RA key", self.__import_ra_key) else: self.step("importing RA certificate from PKCS #12 file", - lambda: self.import_ra_cert(ra_p12)) + lambda: self.import_ra_cert(ra_p12, + self.dm_password)) if not ra_only: self.step("setting up signing cert profile", self.__setup_sign_profile) @@ -676,20 +677,26 @@ def enable_pkix(self): 'NSS_ENABLE_PKIX_VERIFY', '1', quotes=False, separator='=') -def import_ra_cert(self, rafile): +def import_ra_cert(self, rafile, password=None): """ Cloned RAs will use the same RA agent cert as the master so we need to import from a PKCS#12 file. Used when setting up replication """ +pwdarg = 'pass:' +if password is not None: +pwdfile_fd, pwdfile_name = tempfile.mkstemp() +os.write(pwdfile_fd, password) +os.close(pwdfile_fd) +pwdarg = 'file:{file}'.format(file=pwdfile_name) # get the private key from the file ipautil.run([paths.OPENSSL, "pkcs12", "-in", rafile, "-nocerts", "-nodes", "-out", paths.RA_AGENT_KEY, - "-passin", "pass:"]) + "-passin", pwdarg]) # get the certificate from the pkcs12 file ipautil.run([paths.OPENSSL, @@ -697,7 +704,7 @@ def import_ra_cert(self, rafile): "-in", rafile, "-clcerts", "-nokeys", "-out", paths.RA_AGENT_PEM, - "-passin", "pass:"]) + "-passin", pwdarg]) self.__set_ra_cert_perms() self.configure_agent_renewal() -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#719][synchronized] External CA fixes
URL: https://github.com/freeipa/freeipa/pull/719 Author: stlaz Title: #719: External CA fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/719/head:pr719 git checkout pr719 From 2940a8774fe3283497d13ef287de2e10638e725f Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 18 Apr 2017 17:14:27 +0200 Subject: [PATCH 1/2] server-install: No double Kerberos install When we're installing server with an external CA, the installation would have failed in the second step where it's passed the required CA cert file because it would have tried to perform the Kerberos installation for the second time. https://pagure.io/freeipa/issue/6757 --- ipaserver/install/server/install.py | 15 +-- 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index b899b4b..7c0eccf 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -761,12 +761,15 @@ def install(installer): realm_name, host_name, domain_name, dm_password, options.subject_base, options.ca_subject, 1101, 1100, None) -krb = krbinstance.KrbInstance(fstore) -krb.create_instance(realm_name, host_name, domain_name, -dm_password, master_password, -setup_pkinit=not options.no_pkinit, -pkcs12_info=pkinit_pkcs12_info, -subject_base=options.subject_base) +if not options.external_cert_files: +krb = krbinstance.KrbInstance(fstore) +krb.create_instance(realm_name, host_name, domain_name, +dm_password, master_password, +setup_pkinit=not options.no_pkinit, +pkcs12_info=pkinit_pkcs12_info, +subject_base=options.subject_base) +else: +krb = krbinstance.KrbInstance(fstore) if setup_ca: if not options.external_cert_files and options.external_ca: From 9d165c77186f7f1f4db0c0cc3b58a6d5f3582384 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 18 Apr 2017 17:17:48 +0200 Subject: [PATCH 2/2] ext. CA: correctly write the cert chain The cert file would have been rewritten all over again with any of the cert in the CA cert chain without this patch. https://pagure.io/freeipa/issue/6872 --- ipaserver/install/cainstance.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1c8bb27..d452757 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -786,9 +786,10 @@ def __export_ca_chain(self): certlist = x509.pkcs7_to_pems(data, x509.DER) # We have all the certificates in certlist, write them to a PEM file -for cert in certlist: -with open(paths.IPA_CA_CRT, 'w') as ipaca_pem: +with open(paths.IPA_CA_CRT, 'w') as ipaca_pem: +for cert in certlist: ipaca_pem.write(cert) +ipaca_pem.write('\n') def __request_ra_certificate(self): # create a temp file storing the pwd -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#719][edited] External CA fixes
URL: https://github.com/freeipa/freeipa/pull/719 Author: stlaz Title: #719: External CA fixes Action: edited Changed field: body Original value: """ External CA installation would have failed for 2 reasons: - Trying to perform Kerberos install twice (for some reason our QA forgot to tell us that) - Rewriting the CA cert file with each consecutive certificate in the certificate chain instead of appending them This patchset fixes that behavior. """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#719][opened] External CA fixes
URL: https://github.com/freeipa/freeipa/pull/719 Author: stlaz Title: #719: External CA fixes Action: opened PR body: """ External CA installation would have failed for 2 reasons: - Trying to perform Kerberos install twice (for some reason our QA forgot to tell us that) - Rewriting the CA cert file with each consecutive certificate in the certificate chain instead of appending them This patchset fixes that behavior. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/719/head:pr719 git checkout pr719 From ed3c00e302ed9958646027541b5fe7187ce21a13 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 18 Apr 2017 17:14:27 +0200 Subject: [PATCH 1/2] server-install: No double Kerberos install When we're installing server with an external CA, the installation would have failed in the second step where it's passed the required CA cert file because it would have tried to perform the Kerberos installation for the second time. https://pagure.io/freeipa/issue/6872 --- ipaserver/install/server/install.py | 15 +-- 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index b899b4b..7c0eccf 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -761,12 +761,15 @@ def install(installer): realm_name, host_name, domain_name, dm_password, options.subject_base, options.ca_subject, 1101, 1100, None) -krb = krbinstance.KrbInstance(fstore) -krb.create_instance(realm_name, host_name, domain_name, -dm_password, master_password, -setup_pkinit=not options.no_pkinit, -pkcs12_info=pkinit_pkcs12_info, -subject_base=options.subject_base) +if not options.external_cert_files: +krb = krbinstance.KrbInstance(fstore) +krb.create_instance(realm_name, host_name, domain_name, +dm_password, master_password, +setup_pkinit=not options.no_pkinit, +pkcs12_info=pkinit_pkcs12_info, +subject_base=options.subject_base) +else: +krb = krbinstance.KrbInstance(fstore) if setup_ca: if not options.external_cert_files and options.external_ca: From 3cb951eae3806242dadf4643eb93012d5095ac5b Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 18 Apr 2017 17:17:48 +0200 Subject: [PATCH 2/2] ext. CA: correctly write the cert chain The cert file would have been rewritten all over again with any of the cert in the CA cert chain without this patch. https://pagure.io/freeipa/issue/6872 --- ipaserver/install/cainstance.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1c8bb27..d452757 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -786,9 +786,10 @@ def __export_ca_chain(self): certlist = x509.pkcs7_to_pems(data, x509.DER) # We have all the certificates in certlist, write them to a PEM file -for cert in certlist: -with open(paths.IPA_CA_CRT, 'w') as ipaca_pem: +with open(paths.IPA_CA_CRT, 'w') as ipaca_pem: +for cert in certlist: ipaca_pem.write(cert) +ipaca_pem.write('\n') def __request_ra_certificate(self): # create a temp file storing the pwd -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code