[Freeipa-devel] [freeipa PR#361][-ack] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361 Title: #361: This PR implements a number of improvements for our Travis CI: Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#361][comment] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361 Title: #361: This PR implements a number of improvements for our Travis CI: stlaz commented: """ The change LGTM, ACK, we'll see how it works :) """ See the full comment at https://github.com/freeipa/freeipa/pull/361#issuecomment-270612407 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#361][+ack] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361 Title: #361: This PR implements a number of improvements for our Travis CI: Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][comment] [EXPERIMENT] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: [EXPERIMENT] ci: send build log to paste.fedoraproject.org stlaz commented: """ Um, sorry, but I fail to see the real upside here, perhaps I am missing something. If I see here on github that a build of my PR failed, and I really don't check it if it's ok, I can just go, click three or four times and I get where I want and see what I want and that all is at the same spot where my code is. What exactly do I get by having the log pasted somewhere where it's nowhere connected to the code I submitted? I believe I must be missing something so please educate me :) """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-270583984 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ @rcritten I spoke to the NSS people who assured me it's the intended behavior. But thanks for the remainder, I will open a Bugzilla for that as well, I was considering it before Christmas. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-270383517 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][comment] [EXPERIMENT] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: [EXPERIMENT] ci: send build log to paste.fedoraproject.org stlaz commented: """ Um, sorry, but I fail to see the real upside here, perhaps I am missing something. If I see here on github that a build of my PR failed, and I really don't check it if it's ok, I can just go, click three or four times and I get where I want and see what I want and that all is at the same spot where my code is. What exactly do I get by having the log pasted somewhere where it's nowhere connected to the code I submitted? I believe I must be missing something so please educate me :) """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-270583984 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ @rcritten I spoke to the NSS people who assured me it's the intended behavior. But thanks for the remainder, I will open a Bugzilla for that as well, I was considering it before Christmas. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-270383517 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#352][comment] Clarify meaning of --domain and --realm in installers
URL: https://github.com/freeipa/freeipa/pull/352 Title: #352: Clarify meaning of --domain and --realm in installers stlaz commented: """ The fixes to raised issues are fixed in https://github.com/freeipa/freeipa/issues/362 """ See the full comment at https://github.com/freeipa/freeipa/pull/352#issuecomment-270355061 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#352][+rejected] Clarify meaning of --domain and --realm in installers
URL: https://github.com/freeipa/freeipa/pull/352 Title: #352: Clarify meaning of --domain and --realm in installers Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#352][closed] Clarify meaning of --domain and --realm in installers
URL: https://github.com/freeipa/freeipa/pull/352 Author: pspacek Title: #352: Clarify meaning of --domain and --realm in installers Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/352/head:pr352 git checkout pr352 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#361][comment] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361 Title: #361: This PR implements a number of improvements for our Travis CI: stlaz commented: """ @martbab My naive solution is to do something like ```bash LINE=`grep -n -m 1 $CI_TRAVIS_LOG -e "=== FAILURES ===" | cut -d: -f1` LINES=`wc -l $CI_TRAVIS_LOG` tail -n `expr $LINES - $LINE` $CI_TRAVIS_LOG ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/361#issuecomment-270350910 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA stlaz commented: """ You're right, I should probably write some design. The current implementation does not check CRL or OSCP, so we're "fine" with this change. There is a plan on doing CRL check in certmonger, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-270347796 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 From 182bec40b1611bb5eac6162a49854dfdbb59a6fd Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 20 Dec 2016 10:05:36 +0100 Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module NSSConnection was causing a lot of trouble in the past and there is a lot of logic around it just to make it not fail. What's more, when using NSS to create an SSL connection in FIPS mode, NSS always requires database password which makes the `ipa` command totally unusable. NSSConnection is therefore replaced with Python's httplib.HTTPSConnection which is OpenSSL based. https://fedorahosted.org/freeipa/ticket/5695 --- ipalib/config.py| 3 +++ ipalib/constants.py | 1 + ipalib/rpc.py | 69 ++ ipalib/util.py | 73 + 4 files changed, 91 insertions(+), 55 deletions(-) diff --git a/ipalib/config.py b/ipalib/config.py index 20591db..8ecada6 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -493,6 +493,9 @@ def _bootstrap(self, **overrides): if 'nss_dir' not in self: self.nss_dir = self._join('confdir', 'nssdb') +if 'ca_certfile' not in self: +self.ca_certfile = self._join('confdir', 'ca.crt') + # Set plugins_on_demand: if 'plugins_on_demand' not in self: self.plugins_on_demand = (self.context == 'cli') diff --git a/ipalib/constants.py b/ipalib/constants.py index 81643da..4f40545 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -226,6 +226,7 @@ ('conf_default', object), # File containing context independent config ('plugins_on_demand', object), # Whether to finalize plugins on-demand (bool) ('nss_dir', object), # Path to nssdb, default {confdir}/nssdb +('ca_certfile', object), # Path to CA cert file # Set in Env._finalize_core(): ('in_server', object), # Whether or not running in-server (bool) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 921f5cb..66cd1c3 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ import gssapi from dns import resolver, rdatatype from dns.exception import DNSException -from nss.error import NSPRError +from ssl import SSLError import six from six.moves import urllib @@ -60,8 +60,7 @@ from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ -import ipapython.nsslib -from ipapython.nsslib import NSSConnection +from ipalib.util import IPAHTTPSConnection from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \ KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal @@ -470,48 +469,21 @@ def get_host_info(self, host): return (host, extra_headers, x509) + class SSLTransport(LanguageAwareTransport): """Handles an HTTPS transaction to an XML-RPC server.""" - -def get_connection_dbdir(self): -""" -If there is a connections open it may have already initialized -NSS database. Return the database location used by the connection. -""" -for value in context.__dict__.values(): -if not isinstance(value, Connection): -continue -if not isinstance( -getattr(value.conn, '_ServerProxy__transport', None), -SSLTransport): -continue -if hasattr(value.conn._ServerProxy__transport, 'dbdir'): -return value.conn._ServerProxy__transport.dbdir -return None - def make_connection(self, host): host, self._extra_headers, _x509 = self.get_host_info(host) if self._connection and host == self._connection[0]: return self._connection[1] -dbdir = context.nss_dir -connection_dbdir = self.get_connection_dbdir() +ca_certfile = context.ca_certfile -if connection_dbdir: -# If an existing connection is already using the same NSS -# database there is no need to re-initialize. -no_init = dbdir == connection_dbdir - -else: -# If the NSS database is already being used there is no -# need to re-initialize. -no_init = dbdir == ipapython.nsslib.current_dbdir - -conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init, - tls_version_min=api.env.tls_version_min, - tls_version_max=api.env.tls_version_max) -self
[Freeipa-devel] [freeipa PR#361][comment] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361 Title: #361: This PR implements a number of improvements for our Travis CI: stlaz commented: """ I assume the licence headers did not break the automember tests so this could be pushed. Just a brief question: would it be reasonable to get the line number of "= FAILURES =" and tail the "$CI_TRAVIS_LOG" from the end to it? """ See the full comment at https://github.com/freeipa/freeipa/pull/361#issuecomment-270333276 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#359][comment] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359 Title: #359: dogtag: search past the first 100 certificates stlaz commented: """ @frasertweedale if `_ldap_search` is performed with correct filters, `sizelimit=0` is not the correct solution at least for CLI which should either follow the `sizelimit` argument if set or the records size limit in ipa config. It is only correct for WebUI which I believe should be setting `sizelimit=0` and if it's not, I'd be looking for the bug there. I tried to briefly go through the cert plugin code but it's a bit messy so my only hope is that the correct filter is indeed used there. On the way through it, though, I found something that seems like another size limit bug: https://github.com/freeipa/freeipa/blob/master/ipaserver/plugins/cert.py#L1306 -> which will not set our "unlimited" if `sizelimit` is set to 0. Also from there, if `sizelimit` is not set, we should go with ipa config sizelimit rather than having the magic do its trick somewhere else, right? Then the proposed value in options.get() could go away (be set in the cert.py module instead). """ See the full comment at https://github.com/freeipa/freeipa/pull/359#issuecomment-270328738 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][edited] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: edited Changed field: body Original value: """ This batch of patches removes NSSConnection along with the whole ipapython.nsslib from IPA and replaces it with more standard httplib.HTTPSConnection. NSSConnection was causing a lot of trouble in the past because it is apparently very fragile when it comes to nss library initialization. On top of that, when NSSConnection is used to set up an HTTPS connection in FIPS, it always requires a password to NSS database as NSS apparently tries to create a temporary private key and store it to the database even though client authentication is not required in the SSL connection. TODO (will require changes in certmonger/dogatg.c): - [ ] we may probably remove ipaCert from /etc/httpd/alias and stop tracking it with certmonger - [ ] once ^- is done, track /var/lib/ipa/ra-agent.pem in certmonger instead https://fedorahosted.org/freeipa/ticket/5695 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][opened] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: opened PR body: """ This batch of patches removes NSSConnection along with the whole ipapython.nsslib from IPA and replaces it with more standard httplib.HTTPSConnection. NSSConnection was causing a lot of trouble in the past because it is apparently very fragile when it comes to nss library initialization. On top of that, when NSSConnection is used to set up an HTTPS connection in FIPS, it always requires a password to NSS database as NSS apparently tries to create a temporary private key and store it to the database even though client authentication is not required in the SSL connection. TODO (will require changes in certmonger/dogatg.c): - [ ] we may probably remove ipaCert from /etc/httpd/alias and stop tracking it with certmonger - [ ] once ^- is done, track /var/lib/ipa/ra-agent.pem in certmonger instead https://fedorahosted.org/freeipa/ticket/5695 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 From 182bec40b1611bb5eac6162a49854dfdbb59a6fd Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 20 Dec 2016 10:05:36 +0100 Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module NSSConnection was causing a lot of trouble in the past and there is a lot of logic around it just to make it not fail. What's more, when using NSS to create an SSL connection in FIPS mode, NSS always requires database password which makes the `ipa` command totally unusable. NSSConnection is therefore replaced with Python's httplib.HTTPSConnection which is OpenSSL based. https://fedorahosted.org/freeipa/ticket/5695 --- ipalib/config.py| 3 +++ ipalib/constants.py | 1 + ipalib/rpc.py | 69 ++ ipalib/util.py | 73 + 4 files changed, 91 insertions(+), 55 deletions(-) diff --git a/ipalib/config.py b/ipalib/config.py index 20591db..8ecada6 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -493,6 +493,9 @@ def _bootstrap(self, **overrides): if 'nss_dir' not in self: self.nss_dir = self._join('confdir', 'nssdb') +if 'ca_certfile' not in self: +self.ca_certfile = self._join('confdir', 'ca.crt') + # Set plugins_on_demand: if 'plugins_on_demand' not in self: self.plugins_on_demand = (self.context == 'cli') diff --git a/ipalib/constants.py b/ipalib/constants.py index 81643da..4f40545 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -226,6 +226,7 @@ ('conf_default', object), # File containing context independent config ('plugins_on_demand', object), # Whether to finalize plugins on-demand (bool) ('nss_dir', object), # Path to nssdb, default {confdir}/nssdb +('ca_certfile', object), # Path to CA cert file # Set in Env._finalize_core(): ('in_server', object), # Whether or not running in-server (bool) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 921f5cb..66cd1c3 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ import gssapi from dns import resolver, rdatatype from dns.exception import DNSException -from nss.error import NSPRError +from ssl import SSLError import six from six.moves import urllib @@ -60,8 +60,7 @@ from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ -import ipapython.nsslib -from ipapython.nsslib import NSSConnection +from ipalib.util import IPAHTTPSConnection from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \ KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal @@ -470,48 +469,21 @@ def get_host_info(self, host): return (host, extra_headers, x509) + class SSLTransport(LanguageAwareTransport): """Handles an HTTPS transaction to an XML-RPC server.""" - -def get_connection_dbdir(self): -""" -If there is a connections open it may have already initialized -NSS database. Return the database location used by the connection. -""" -for value in context.__dict__.values(): -if not isinstance(value, Connection): -continue -if not isinstance( -getattr(value.conn, '_ServerProxy__transport', None), -SSLTransport): -continue -if hasattr(value.conn._ServerProxy__transport, 'dbdir'): -return value.conn._ServerProxy__transport.dbdir -return None - def make_connection(self, host): host, self._extra_headers
[Freeipa-devel] [freeipa PR#362][+ack] Clarify meaning of --domain and --realm in installers
URL: https://github.com/freeipa/freeipa/pull/362 Title: #362: Clarify meaning of --domain and --realm in installers Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#362][synchronized] Clarify meaning of --domain and --realm in installers
URL: https://github.com/freeipa/freeipa/pull/362 Author: stlaz Title: #362: Clarify meaning of --domain and --realm in installers Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/362/head:pr362 git checkout pr362 From c3232015baf2f519bd887f2f70082e031a1a31cd Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Mon, 2 Jan 2017 13:22:07 +0100 Subject: [PATCH] Clarify meaning of --domain and --realm in installers Man pages need bigger overhaul. Take this as hot-fix for FAQ. https://fedorahosted.org/freeipa/ticket/6574 --- client/man/ipa-client-install.1 | 31 ++--- install/tools/man/ipa-dns-install.1 | 27 -- install/tools/man/ipa-replica-install.1 | 38 ++ install/tools/man/ipa-server-install.1 | 41 + ipalib/install/service.py | 6 +++-- 5 files changed, 64 insertions(+), 79 deletions(-) diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1 index 9ae0b8b..319952c 100644 --- a/client/man/ipa-client-install.1 +++ b/client/man/ipa-client-install.1 @@ -1,22 +1,7 @@ .\" A man page for ipa-client-install -.\" Copyright (C) 2008 Red Hat, Inc. +.\" Copyright (C) 2008-2016 FreeIPA Contributors see COPYING for license .\" -.\" This program is free software; you can redistribute it and/or modify -.\" it under the terms of the GNU General Public License as published by -.\" the Free Software Foundation, either version 3 of the License, or -.\" (at your option) any later version. -.\" -.\" This program is distributed in the hope that it will be useful, but -.\" WITHOUT ANY WARRANTY; without even the implied warranty of -.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -.\" General Public License for more details. -.\" -.\" You should have received a copy of the GNU General Public License -.\" along with this program. If not, see <http://www.gnu.org/licenses/>. -.\" -.\" Author: Rob Crittenden <rcrit...@redhat.com> -.\" -.TH "ipa-client-install" "1" "Jan 31 2013" "FreeIPA" "FreeIPA Manual Pages" +.TH "ipa-client-install" "1" "Dec 19 2016" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-client\-install \- Configure an IPA client .SH "SYNOPSIS" @@ -84,13 +69,21 @@ Consequences of the re\-enrollment on the host entry: .SS "BASIC OPTIONS" .TP \fB\-\-domain\fR=\fIDOMAIN\fR -Set the domain name to DOMAIN. When no \-\-server option is specified, the installer will try to discover all available servers via DNS SRV record autodiscovery (see DNS Autodiscovery section for details). +The primary DNS domain of an existing IPA deployment, e.g. example.com. This DNS domain should contain the SRV records generated by the IPA server installer. Usually the name is a lower-cased name of an IPA Kerberos realm name. + +When no \-\-server option is specified, this domain will be used by the installer to discover all available servers via DNS SRV record autodiscovery (see DNS Autodiscovery section for details). + +The default value used by the installer is the domain part of the hostname. This option needs to be specified if the primary IPA DNS domain is different from the default value. .TP \fB\-\-server\fR=\fISERVER\fR Set the FQDN of the IPA server to connect to. May be specified multiple times to add multiple servers to ipa_server value in sssd.conf or krb5.conf. Only the first value is considered when used with \-\-no\-sssd. When this option is used, DNS autodiscovery for Kerberos is disabled and a fixed list of KDC and Admin servers is configured. + +Under normal circumstances, this option is not needed as the list of servers is retrieved from the primary IPA DNS domain. .TP \fB\-\-realm\fR=\fIREALM_NAME\fR -Set the IPA realm name to REALM_NAME. Under normal circumstances, this option is not needed as the realm name is retrieved from the IPA server. +The Kerberos realm of an existing IPA deployment. Usually it is an upper-cased name of the primary DNS domain used by the IPA installation. + +Under normal circumstances, this option is not needed as the realm name is retrieved from the IPA server. .TP \fB\-\-fixed\-primary\fR Configure SSSD to use a fixed server as the primary IPA server. The default is to use DNS SRV records to determine the primary server to use and fall back to the server the client is enrolled with. When used in conjunction with \-\-server then no _srv_ value is set in the ipa_server option in sssd.conf. diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1 index ad937cc..3ae9f6d 100644 --- a/install/tools/man/ipa-dns-install.1 +++ b/insta
[Freeipa-devel] [freeipa PR#362][opened] Clarify meaning of --domain and --realm in installers
URL: https://github.com/freeipa/freeipa/pull/362 Author: stlaz Title: #362: Clarify meaning of --domain and --realm in installers Action: opened PR body: """ This is my take on original https://github.com/freeipa/freeipa/pull/352. I hope I fixed all the mentioned issues + I added some missing articles. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/362/head:pr362 git checkout pr362 From 0c30326cdef516131540b755d689034ebf2d33ac Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Mon, 2 Jan 2017 13:22:07 +0100 Subject: [PATCH] Clarify meaning of --domain and --realm in installers Man pages need bigger overhaul. Take this as hot-fix for FAQ. https://fedorahosted.org/freeipa/ticket/6574 --- client/man/ipa-client-install.1 | 31 ++--- install/tools/man/ipa-dns-install.1 | 27 -- install/tools/man/ipa-replica-install.1 | 38 ++ install/tools/man/ipa-server-install.1 | 41 + ipalib/install/service.py | 6 +++-- 5 files changed, 64 insertions(+), 79 deletions(-) diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1 index 9ae0b8b..319952c 100644 --- a/client/man/ipa-client-install.1 +++ b/client/man/ipa-client-install.1 @@ -1,22 +1,7 @@ .\" A man page for ipa-client-install -.\" Copyright (C) 2008 Red Hat, Inc. +.\" Copyright (C) 2008-2016 FreeIPA Contributors see COPYING for license .\" -.\" This program is free software; you can redistribute it and/or modify -.\" it under the terms of the GNU General Public License as published by -.\" the Free Software Foundation, either version 3 of the License, or -.\" (at your option) any later version. -.\" -.\" This program is distributed in the hope that it will be useful, but -.\" WITHOUT ANY WARRANTY; without even the implied warranty of -.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -.\" General Public License for more details. -.\" -.\" You should have received a copy of the GNU General Public License -.\" along with this program. If not, see <http://www.gnu.org/licenses/>. -.\" -.\" Author: Rob Crittenden <rcrit...@redhat.com> -.\" -.TH "ipa-client-install" "1" "Jan 31 2013" "FreeIPA" "FreeIPA Manual Pages" +.TH "ipa-client-install" "1" "Dec 19 2016" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-client\-install \- Configure an IPA client .SH "SYNOPSIS" @@ -84,13 +69,21 @@ Consequences of the re\-enrollment on the host entry: .SS "BASIC OPTIONS" .TP \fB\-\-domain\fR=\fIDOMAIN\fR -Set the domain name to DOMAIN. When no \-\-server option is specified, the installer will try to discover all available servers via DNS SRV record autodiscovery (see DNS Autodiscovery section for details). +The primary DNS domain of an existing IPA deployment, e.g. example.com. This DNS domain should contain the SRV records generated by the IPA server installer. Usually the name is a lower-cased name of an IPA Kerberos realm name. + +When no \-\-server option is specified, this domain will be used by the installer to discover all available servers via DNS SRV record autodiscovery (see DNS Autodiscovery section for details). + +The default value used by the installer is the domain part of the hostname. This option needs to be specified if the primary IPA DNS domain is different from the default value. .TP \fB\-\-server\fR=\fISERVER\fR Set the FQDN of the IPA server to connect to. May be specified multiple times to add multiple servers to ipa_server value in sssd.conf or krb5.conf. Only the first value is considered when used with \-\-no\-sssd. When this option is used, DNS autodiscovery for Kerberos is disabled and a fixed list of KDC and Admin servers is configured. + +Under normal circumstances, this option is not needed as the list of servers is retrieved from the primary IPA DNS domain. .TP \fB\-\-realm\fR=\fIREALM_NAME\fR -Set the IPA realm name to REALM_NAME. Under normal circumstances, this option is not needed as the realm name is retrieved from the IPA server. +The Kerberos realm of an existing IPA deployment. Usually it is an upper-cased name of the primary DNS domain used by the IPA installation. + +Under normal circumstances, this option is not needed as the realm name is retrieved from the IPA server. .TP \fB\-\-fixed\-primary\fR Configure SSSD to use a fixed server as the primary IPA server. The default is to use DNS SRV records to determine the primary server to use and fall back to the server the client is enrolled with. When used in conjunction with \-\-server then no _srv_ value is set in the ipa_server o
[Freeipa-devel] [freeipa PR#350][+ack] spec file: revert to the previous Release tag
URL: https://github.com/freeipa/freeipa/pull/350 Title: #350: spec file: revert to the previous Release tag Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#350][comment] spec file: revert to the previous Release tag
URL: https://github.com/freeipa/freeipa/pull/350 Title: #350: spec file: revert to the previous Release tag stlaz commented: """ I also appreciate the dist information, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/350#issuecomment-269950104 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#298][+rejected] ipaldap: handle binary encoding option transparently
URL: https://github.com/freeipa/freeipa/pull/298 Title: #298: ipaldap: handle binary encoding option transparently Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][synchronized] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Author: stlaz Title: #317: Unify password generation across FreeIPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/317/head:pr317 git checkout pr317 From bfde1323888d15bd8aa975e9513fea829cb19de9 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 6 Dec 2016 09:05:42 +0100 Subject: [PATCH 1/2] Unify password generation across FreeIPA Also had to recalculate entropy of the passwords as originally, probability of generating each character was 1/256, however the default probability of each character in the ipa_generate_password is 1/95 (1/94 for first and last character). https://fedorahosted.org/freeipa/ticket/5695 --- ipaserver/install/certs.py | 8 ++-- ipaserver/install/dogtaginstance.py| 3 +-- ipaserver/install/dsinstance.py| 5 + ipaserver/install/httpinstance.py | 5 ++--- ipaserver/install/server/replicainstall.py | 3 +-- ipaserver/secrets/store.py | 2 +- 6 files changed, 8 insertions(+), 18 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 45602ba..198c43d 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -25,7 +25,6 @@ import xml.dom.minidom import pwd import base64 -from hashlib import sha1 import fcntl import time import datetime @@ -159,9 +158,6 @@ def set_perms(self, fname, write=False, uid=None): perms |= stat.S_IWUSR os.chmod(fname, perms) -def gen_password(self): -return sha1(ipautil.ipa_generate_password()).hexdigest() - def run_certutil(self, args, stdin=None, **kwargs): return self.nssdb.run_certutil(args, stdin, **kwargs) @@ -177,7 +173,7 @@ def create_noise_file(self): if ipautil.file_exists(self.noise_fname): os.remove(self.noise_fname) f = open(self.noise_fname, "w") -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password(pwd_len=25)) self.set_perms(self.noise_fname) def create_passwd_file(self, passwd=None): @@ -186,7 +182,7 @@ def create_passwd_file(self, passwd=None): if passwd is not None: f.write("%s\n" % passwd) else: -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password(pwd_len=25)) f.close() self.set_perms(self.passwd_fname) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index f4856c7..dc4b5b0 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -18,7 +18,6 @@ # import base64 -import binascii import ldap import os import shutil @@ -428,7 +427,7 @@ def __add_admin_to_group(self, group): def setup_admin(self): self.admin_user = "admin-%s" % self.fqdn -self.admin_password = binascii.hexlify(os.urandom(16)) +self.admin_password = ipautil.ipa_generate_password(pwd_len=20) self.admin_dn = DN(('uid', self.admin_user), ('ou', 'people'), ('o', 'ipaca')) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 1be5ac7..09708dc 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -506,7 +506,7 @@ def __setup_sub_dict(self): idrange_size = None self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid, PASSWORD=self.dm_password, - RANDOM_PASSWORD=self.generate_random(), + RANDOM_PASSWORD=ipautil.ipa_generate_password(), SUFFIX=self.suffix, REALM=self.realm, USER=DS_USER, SERVER_ROOT=server_root, DOMAIN=self.domain, @@ -773,9 +773,6 @@ def __host_nis_groups(self): def __add_enrollment_module(self): self._ldap_mod("enrollment-conf.ldif", self.sub_dict) -def generate_random(self): -return ipautil.ipa_generate_password() - def __enable_ssl(self): dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 15c3107..9fdb5a8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,7 +19,6 @@ from __future__ import print_function -import binascii import os import os.path import pwd @@ -314,9 +313,9 @@ def create_cert_db(self): ipautil.backup_file(nss_path) # Create the password file for this db -hex_str = binascii.hexlify(os.urandom(10)) +password = ipautil.ipa_generate_password(pwd_len=15) f = os.open(pwd_file, os.O_C
[Freeipa-devel] [freeipa PR#317][synchronized] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Author: stlaz Title: #317: Unify password generation across FreeIPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/317/head:pr317 git checkout pr317 From bfde1323888d15bd8aa975e9513fea829cb19de9 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 6 Dec 2016 09:05:42 +0100 Subject: [PATCH 1/2] Unify password generation across FreeIPA Also had to recalculate entropy of the passwords as originally, probability of generating each character was 1/256, however the default probability of each character in the ipa_generate_password is 1/95 (1/94 for first and last character). https://fedorahosted.org/freeipa/ticket/5695 --- ipaserver/install/certs.py | 8 ++-- ipaserver/install/dogtaginstance.py| 3 +-- ipaserver/install/dsinstance.py| 5 + ipaserver/install/httpinstance.py | 5 ++--- ipaserver/install/server/replicainstall.py | 3 +-- ipaserver/secrets/store.py | 2 +- 6 files changed, 8 insertions(+), 18 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 45602ba..198c43d 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -25,7 +25,6 @@ import xml.dom.minidom import pwd import base64 -from hashlib import sha1 import fcntl import time import datetime @@ -159,9 +158,6 @@ def set_perms(self, fname, write=False, uid=None): perms |= stat.S_IWUSR os.chmod(fname, perms) -def gen_password(self): -return sha1(ipautil.ipa_generate_password()).hexdigest() - def run_certutil(self, args, stdin=None, **kwargs): return self.nssdb.run_certutil(args, stdin, **kwargs) @@ -177,7 +173,7 @@ def create_noise_file(self): if ipautil.file_exists(self.noise_fname): os.remove(self.noise_fname) f = open(self.noise_fname, "w") -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password(pwd_len=25)) self.set_perms(self.noise_fname) def create_passwd_file(self, passwd=None): @@ -186,7 +182,7 @@ def create_passwd_file(self, passwd=None): if passwd is not None: f.write("%s\n" % passwd) else: -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password(pwd_len=25)) f.close() self.set_perms(self.passwd_fname) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index f4856c7..dc4b5b0 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -18,7 +18,6 @@ # import base64 -import binascii import ldap import os import shutil @@ -428,7 +427,7 @@ def __add_admin_to_group(self, group): def setup_admin(self): self.admin_user = "admin-%s" % self.fqdn -self.admin_password = binascii.hexlify(os.urandom(16)) +self.admin_password = ipautil.ipa_generate_password(pwd_len=20) self.admin_dn = DN(('uid', self.admin_user), ('ou', 'people'), ('o', 'ipaca')) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 1be5ac7..09708dc 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -506,7 +506,7 @@ def __setup_sub_dict(self): idrange_size = None self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid, PASSWORD=self.dm_password, - RANDOM_PASSWORD=self.generate_random(), + RANDOM_PASSWORD=ipautil.ipa_generate_password(), SUFFIX=self.suffix, REALM=self.realm, USER=DS_USER, SERVER_ROOT=server_root, DOMAIN=self.domain, @@ -773,9 +773,6 @@ def __host_nis_groups(self): def __add_enrollment_module(self): self._ldap_mod("enrollment-conf.ldif", self.sub_dict) -def generate_random(self): -return ipautil.ipa_generate_password() - def __enable_ssl(self): dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 15c3107..9fdb5a8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,7 +19,6 @@ from __future__ import print_function -import binascii import os import os.path import pwd @@ -314,9 +313,9 @@ def create_cert_db(self): ipautil.backup_file(nss_path) # Create the password file for this db -hex_str = binascii.hexlify(os.urandom(10)) +password = ipautil.ipa_generate_password(pwd_len=15) f = os.open(pwd_file, os.O_C
[Freeipa-devel] [freeipa PR#317][synchronized] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Author: stlaz Title: #317: Unify password generation across FreeIPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/317/head:pr317 git checkout pr317 From bfde1323888d15bd8aa975e9513fea829cb19de9 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 6 Dec 2016 09:05:42 +0100 Subject: [PATCH 1/2] Unify password generation across FreeIPA Also had to recalculate entropy of the passwords as originally, probability of generating each character was 1/256, however the default probability of each character in the ipa_generate_password is 1/95 (1/94 for first and last character). https://fedorahosted.org/freeipa/ticket/5695 --- ipaserver/install/certs.py | 8 ++-- ipaserver/install/dogtaginstance.py| 3 +-- ipaserver/install/dsinstance.py| 5 + ipaserver/install/httpinstance.py | 5 ++--- ipaserver/install/server/replicainstall.py | 3 +-- ipaserver/secrets/store.py | 2 +- 6 files changed, 8 insertions(+), 18 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 45602ba..198c43d 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -25,7 +25,6 @@ import xml.dom.minidom import pwd import base64 -from hashlib import sha1 import fcntl import time import datetime @@ -159,9 +158,6 @@ def set_perms(self, fname, write=False, uid=None): perms |= stat.S_IWUSR os.chmod(fname, perms) -def gen_password(self): -return sha1(ipautil.ipa_generate_password()).hexdigest() - def run_certutil(self, args, stdin=None, **kwargs): return self.nssdb.run_certutil(args, stdin, **kwargs) @@ -177,7 +173,7 @@ def create_noise_file(self): if ipautil.file_exists(self.noise_fname): os.remove(self.noise_fname) f = open(self.noise_fname, "w") -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password(pwd_len=25)) self.set_perms(self.noise_fname) def create_passwd_file(self, passwd=None): @@ -186,7 +182,7 @@ def create_passwd_file(self, passwd=None): if passwd is not None: f.write("%s\n" % passwd) else: -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password(pwd_len=25)) f.close() self.set_perms(self.passwd_fname) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index f4856c7..dc4b5b0 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -18,7 +18,6 @@ # import base64 -import binascii import ldap import os import shutil @@ -428,7 +427,7 @@ def __add_admin_to_group(self, group): def setup_admin(self): self.admin_user = "admin-%s" % self.fqdn -self.admin_password = binascii.hexlify(os.urandom(16)) +self.admin_password = ipautil.ipa_generate_password(pwd_len=20) self.admin_dn = DN(('uid', self.admin_user), ('ou', 'people'), ('o', 'ipaca')) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 1be5ac7..09708dc 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -506,7 +506,7 @@ def __setup_sub_dict(self): idrange_size = None self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid, PASSWORD=self.dm_password, - RANDOM_PASSWORD=self.generate_random(), + RANDOM_PASSWORD=ipautil.ipa_generate_password(), SUFFIX=self.suffix, REALM=self.realm, USER=DS_USER, SERVER_ROOT=server_root, DOMAIN=self.domain, @@ -773,9 +773,6 @@ def __host_nis_groups(self): def __add_enrollment_module(self): self._ldap_mod("enrollment-conf.ldif", self.sub_dict) -def generate_random(self): -return ipautil.ipa_generate_password() - def __enable_ssl(self): dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 15c3107..9fdb5a8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,7 +19,6 @@ from __future__ import print_function -import binascii import os import os.path import pwd @@ -314,9 +313,9 @@ def create_cert_db(self): ipautil.backup_file(nss_path) # Create the password file for this db -hex_str = binascii.hexlify(os.urandom(10)) +password = ipautil.ipa_generate_password(pwd_len=15) f = os.open(pwd_file, os.O_C
[Freeipa-devel] [freeipa PR#356][+ack] server install: fix KRA agent PEM file not being created
URL: https://github.com/freeipa/freeipa/pull/356 Title: #356: server install: fix KRA agent PEM file not being created Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#356][comment] server install: fix KRA agent PEM file not being created
URL: https://github.com/freeipa/freeipa/pull/356 Title: #356: server install: fix KRA agent PEM file not being created stlaz commented: """ Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/356#issuecomment-26827 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#279][+ack] installer: Stop adding distro-specific NTP servers into ntp.conf
URL: https://github.com/freeipa/freeipa/pull/279 Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#210][comment] Tests: Stage User Tracker implementation
URL: https://github.com/freeipa/freeipa/pull/210 Title: #210: Tests: Stage User Tracker implementation stlaz commented: """ I just wanted to remove the ACK till @martbab's comment is worked in so nobody pushes it but I found some minor issues that I would like to see fixed in the rebase as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/210#issuecomment-267546613 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#210][-ack] Tests: Stage User Tracker implementation
URL: https://github.com/freeipa/freeipa/pull/210 Title: #210: Tests: Stage User Tracker implementation Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#117][comment] Make ipa-replica-install run in interactive mode
URL: https://github.com/freeipa/freeipa/pull/117 Title: #117: Make ipa-replica-install run in interactive mode stlaz commented: """ Rebase done. I wanted to wait until some more changes to api bootstrapping to be able to call client installation from module using the latest installer system from the installers refactoring but we agreed with @jcholast that it'd be better to do that later. """ See the full comment at https://github.com/freeipa/freeipa/pull/117#issuecomment-267356755 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#117][synchronized] Make ipa-replica-install run in interactive mode
URL: https://github.com/freeipa/freeipa/pull/117 Author: stlaz Title: #117: Make ipa-replica-install run in interactive mode Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/117/head:pr117 git checkout pr117 From b16ce42e7c0ec6611f71a1c4d0da22349ee33148 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Mon, 26 Sep 2016 12:43:24 +0200 Subject: [PATCH] replicainstall: run in interactive mode Tweaks to replica installation to support interactive mode: - modified man to better document what actually happens - added principal/password prompt for unattended mode of ipa-replica-install if no credentials are set - made ipa-client-install run in interactive mode during replica promotion if it is itself not run in unattended mode https://fedorahosted.org/freeipa/ticket/6068 --- install/tools/man/ipa-replica-install.1| 4 +- ipaserver/install/server/replicainstall.py | 116 +++-- 2 files changed, 78 insertions(+), 42 deletions(-) diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index af37b07..f94098d 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -49,7 +49,7 @@ A replica should only be installed on the same or higher version of IPA on the r The user principal which will be used to promote the client to the replica and enroll the client itself, if necessary. .TP \fB\-w\fR, \fB\-\-admin\-password\fR -The Kerberos password for the given principal. +The Kerberos password for the given principal. If no principal is supplied with \-\-principal, "admin" is assumed. .SS "DOMAIN LEVEL 1 CLIENT ENROLLMENT OPTIONS" To install client and promote it to replica using a host keytab or One Time Password, the host needs to be a member of ipaservers group. This requires to create a host entry and add it to the host group prior replica installation. @@ -58,7 +58,7 @@ To install client and promote it to replica using a host keytab or One Time Pass .TP \fB\-p\fR \fIPASSWORD\fR, \fB\-\-password\fR=\fIPASSWORD\fR -One Time Password for joining a machine to the IPA realm. +One Time Password for joining a machine to the IPA realm. If the \-\-principal option is used, this is assumed a password for that principal. .TP \fB\-k\fR, \fB\-\-keytab\fR Path to host keytab. diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index b0cf28f..91d4ee6 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -13,6 +13,7 @@ import socket import tempfile import traceback +import getpass from pkg_resources import parse_version import six @@ -862,46 +863,50 @@ def install_check(installer): def ensure_enrolled(installer): -# Call client install script -service.print_msg("Configuring client side components") +# Prepare options for the installer script +args = [paths.IPA_CLIENT_INSTALL, "--no-ntp"] +nolog = () + +if installer.unattended: +args.append("--unattended") +if installer.domain_name: +args.extend(["--domain", installer.domain_name]) +if installer.server: +args.extend(["--server", installer.server]) +if installer.realm_name: +args.extend(["--realm", installer.realm_name]) +if installer.host_name: +args.extend(["--hostname", installer.host_name]) +if installer.password: +args.extend(["--password", installer.password]) +else: +if installer.admin_password: +# Always set principal if password was set explicitly. +# This is the behaviour from domain level 0 so we're keeping it +args.extend(["--principal", installer.principal or "admin"]) +nolog = (installer.admin_password, ) +args.extend(["--password", installer.admin_password]) +if installer.keytab: +args.extend(["--keytab", installer.keytab]) + +if installer.no_dns_sshfp: +args.append("--no-dns-sshfp") +if installer.ssh_trust_dns: +args.append("--ssh-trust-dns") +if installer.no_ssh: +args.append("--no-ssh") +if installer.no_sshd: +args.append("--no-sshd") +if installer.mkhomedir: +args.append("--mkhomedir") + try: +service.print_msg("Configuring client side components") +# Set _enrollment_performed to True so that any mess left behind in +# case of an enrollment failure gets cleaned installer._enrollment_performed = True - -args = [paths.IPA_CLIENT_INSTALL, "--unattended", "--no-ntp"] -stdin
[Freeipa-devel] [freeipa PR#301][comment] scripts, tests: explicitly set confdir in the rest of server code
URL: https://github.com/freeipa/freeipa/pull/301 Title: #301: scripts, tests: explicitly set confdir in the rest of server code stlaz commented: """ @tiran I find all the changes actually required. I think ACK is in order unless you spell out those which you think are not necessary. """ See the full comment at https://github.com/freeipa/freeipa/pull/301#issuecomment-266683420 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#323][+ack] ipactl: pass api as argument to services
URL: https://github.com/freeipa/freeipa/pull/323 Title: #323: ipactl: pass api as argument to services Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#323][comment] ipactl: pass api as argument to services
URL: https://github.com/freeipa/freeipa/pull/323 Title: #323: ipactl: pass api as argument to services stlaz commented: """ Works as expected. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/323#issuecomment-266427247 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#323][comment] ipactl: pass api as argument to services
URL: https://github.com/freeipa/freeipa/pull/323 Title: #323: ipactl: pass api as argument to services stlaz commented: """ Do we need a ticket for this? I notice the original commit did not have it either. """ See the full comment at https://github.com/freeipa/freeipa/pull/323#issuecomment-266368348 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ Correct me if I'm wrong here but I believe we're going for the scenario where the attacker has to guess the `xxx` bits of entropy and they know that they have to do it. We're not actually coding `xxx` bits of entropy as we need more entropy bits to get a sufficient result (hence `length = int(math.ceil(entropy_bits / math.log(len(self.chars), 2))`). However! To the very first question of yours - unfortunately, there is a very small relation between the arguments in `__init__` and `__call__` as @tiran says: > I'm not clever enough to come up with an algorithm to calculate the length > with additional restrictions. My gut feeling tells me that less than 15% per > character class (3 for upper/lower case and symbols, 1 for digit) should be > ok. From the code you can see that if a certain class of characters should not be used, it's not accounted for in the calculation of the final length of the password but that's about it - if a further restriction is made (>1 character of the give character class), this restriction is also not accounted for. But since we're the ones who'll be using this token generator, I think we could live with this. There should be a warning in a docstring somewhere, though. edit: Just realized - the code is wrong, the restriction to a certain class == None should just mean that the characters from the given class could but don't have to appear in the password (thus still need to be accounted for), the restriction of a certain class == 0 should mean the character should not appear in the password and should not be accounted for in the length calculation. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266362288 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ Correct me if I'm wrong here but I believe we're going for the scenario where the attacker has to guess the `xxx` bits of entropy and they know that they have to do it. We're not actually coding `xxx` bits of entropy as we need more entropy bits to get a sufficient result (hence `length = int(math.ceil(entropy_bits / math.log(len(self.chars), 2))`). However! To the very first question of yours - unfortunately, there is a very small relation between the arguments in `__init__` and `__call__` as @tiran says: > I'm not clever enough to come up with an algorithm to calculate the length > with additional restrictions. My gut feeling tells me that less than 15% per > character class (3 for upper/lower case and symbols, 1 for digit) should be > ok. From the code you can see that if a certain class of characters should not be used, it's not accounted for in the calculation of the final length of the password but that's about it - if a further restriction is made (>1 character of the give character class), this restriction is also not accounted for. But since we're the ones who'll be using this token generator, I think we could live with this. There should be a warning in a docstring somewhere, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266362288 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ Correct me if I'm wrong here but I believe we're going for the scenario where the attacker has to guess the `xxx` bits of entropy and they know that they have to do it. We're not actually coding `xxx` bits of entropy as we need more entropy bits to get a sufficient result (hence `length = int(math.ceil(entropy_bits / math.log(len(self.chars), 2))`). However! To the very first question of yours - unfortunately, there is a very small relation between the arguments in `__init__` and `__call__` as @tiran says: > I'm not clever enough to come up with an algorithm to calculate the length > with additional restrictions. My gut feeling tells me that less than 15% per > character class (3 for upper/lower case and symbols, 1 for digit) should be > ok. From the code you can see that if a certain class of characters should not be used, it's not accounted for in the calculation of the final length of the password but that's about it - if a further restriction is made (>1 character of the give character class), this restriction is also not accounted for. But since we're the ones who'll be using this token generator, I think we could live with this. There should be a warning in a docstring somewhere, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266362288 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ @simo5 I was actually trying to get rid of SHA-1 and I am aware that entropy will not be raised, that part of the code draw a smile on some of our faces here, really :) As for the spaces, I did not encounter issues with them in password.conf files which is awesome but I agree they're potentially dangerous. However, removing them from default set of password chars would not make our life easier as the check would have to stay there in case someone passes them as a possible character as an argument to ipa_generate_password (although they should probably know what they're doing, right?). We may be able to get rid off the `characters` argument should the cases where it's used are found invalid though (currently in `host`, `user` passwords and in `dnskeysync`). @tiran Regarding sha1 - did you see the patch? ;) However I agree that the length is not a good argument for password-generating function, I will have a look at transforming it to entropy. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265761543 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ Apparently, spaces are ok even in HTTP password.conf so I guess we can leave it there. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265739766 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ NSS does support spaces in its passwords it seems. My hopes are that HTTP will be able to understand spaces in its password.conf file. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265720579 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ The passwords should have around the same entropy now. SHA-1 actually produces 160bit outputs (hence 40-characters long hexadecimal digests), so I recounted it for 20-bytes entropy. As ipa_generate_password creates passwords of only printable characters (and a space) by default, base64 should not be a requirement here. However, a space could be a problem somewhere I guess, should it be removed as well from the defaul behavior of the password generator? """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265686352 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][synchronized] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Author: stlaz Title: #317: Unify password generation across FreeIPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/317/head:pr317 git checkout pr317 From bfde1323888d15bd8aa975e9513fea829cb19de9 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 6 Dec 2016 09:05:42 +0100 Subject: [PATCH] Unify password generation across FreeIPA Also had to recalculate entropy of the passwords as originally, probability of generating each character was 1/256, however the default probability of each character in the ipa_generate_password is 1/95 (1/94 for first and last character). https://fedorahosted.org/freeipa/ticket/5695 --- ipaserver/install/certs.py | 8 ++-- ipaserver/install/dogtaginstance.py| 3 +-- ipaserver/install/dsinstance.py| 5 + ipaserver/install/httpinstance.py | 5 ++--- ipaserver/install/server/replicainstall.py | 3 +-- ipaserver/secrets/store.py | 2 +- 6 files changed, 8 insertions(+), 18 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 45602ba..198c43d 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -25,7 +25,6 @@ import xml.dom.minidom import pwd import base64 -from hashlib import sha1 import fcntl import time import datetime @@ -159,9 +158,6 @@ def set_perms(self, fname, write=False, uid=None): perms |= stat.S_IWUSR os.chmod(fname, perms) -def gen_password(self): -return sha1(ipautil.ipa_generate_password()).hexdigest() - def run_certutil(self, args, stdin=None, **kwargs): return self.nssdb.run_certutil(args, stdin, **kwargs) @@ -177,7 +173,7 @@ def create_noise_file(self): if ipautil.file_exists(self.noise_fname): os.remove(self.noise_fname) f = open(self.noise_fname, "w") -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password(pwd_len=25)) self.set_perms(self.noise_fname) def create_passwd_file(self, passwd=None): @@ -186,7 +182,7 @@ def create_passwd_file(self, passwd=None): if passwd is not None: f.write("%s\n" % passwd) else: -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password(pwd_len=25)) f.close() self.set_perms(self.passwd_fname) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index f4856c7..dc4b5b0 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -18,7 +18,6 @@ # import base64 -import binascii import ldap import os import shutil @@ -428,7 +427,7 @@ def __add_admin_to_group(self, group): def setup_admin(self): self.admin_user = "admin-%s" % self.fqdn -self.admin_password = binascii.hexlify(os.urandom(16)) +self.admin_password = ipautil.ipa_generate_password(pwd_len=20) self.admin_dn = DN(('uid', self.admin_user), ('ou', 'people'), ('o', 'ipaca')) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 1be5ac7..09708dc 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -506,7 +506,7 @@ def __setup_sub_dict(self): idrange_size = None self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid, PASSWORD=self.dm_password, - RANDOM_PASSWORD=self.generate_random(), + RANDOM_PASSWORD=ipautil.ipa_generate_password(), SUFFIX=self.suffix, REALM=self.realm, USER=DS_USER, SERVER_ROOT=server_root, DOMAIN=self.domain, @@ -773,9 +773,6 @@ def __host_nis_groups(self): def __add_enrollment_module(self): self._ldap_mod("enrollment-conf.ldif", self.sub_dict) -def generate_random(self): -return ipautil.ipa_generate_password() - def __enable_ssl(self): dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 15c3107..9fdb5a8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,7 +19,6 @@ from __future__ import print_function -import binascii import os import os.path import pwd @@ -314,9 +313,9 @@ def create_cert_db(self): ipautil.backup_file(nss_path) # Create the password file for this db -hex_str = binascii.hexlify(os.urandom(10)) +password = ipautil.ipa_generate_password(pwd_len=15) f = os.open(pwd_file, os.O_C
[Freeipa-devel] [freeipa PR#317][opened] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Author: stlaz Title: #317: Unify password generation across FreeIPA Action: opened PR body: """ When installing FreeIPA in FIPS mode I noticed that there were often different ways of generating passwords in different spots raising the same issue with password requirements. Handling password generation at one centralized spot should allow us handle any password requirements issues at this very spot. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/317/head:pr317 git checkout pr317 From d214b72d6b2299df29540151a86671b361f16167 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 6 Dec 2016 09:05:42 +0100 Subject: [PATCH] Unify password generation across FreeIPA https://fedorahosted.org/freeipa/ticket/5695 --- ipaserver/install/certs.py | 8 ++-- ipaserver/install/dogtaginstance.py| 3 +-- ipaserver/install/dsinstance.py| 5 + ipaserver/install/httpinstance.py | 5 ++--- ipaserver/install/server/replicainstall.py | 3 +-- ipaserver/secrets/store.py | 2 +- 6 files changed, 8 insertions(+), 18 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 45602ba..8673a48 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -25,7 +25,6 @@ import xml.dom.minidom import pwd import base64 -from hashlib import sha1 import fcntl import time import datetime @@ -159,9 +158,6 @@ def set_perms(self, fname, write=False, uid=None): perms |= stat.S_IWUSR os.chmod(fname, perms) -def gen_password(self): -return sha1(ipautil.ipa_generate_password()).hexdigest() - def run_certutil(self, args, stdin=None, **kwargs): return self.nssdb.run_certutil(args, stdin, **kwargs) @@ -177,7 +173,7 @@ def create_noise_file(self): if ipautil.file_exists(self.noise_fname): os.remove(self.noise_fname) f = open(self.noise_fname, "w") -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password()) self.set_perms(self.noise_fname) def create_passwd_file(self, passwd=None): @@ -186,7 +182,7 @@ def create_passwd_file(self, passwd=None): if passwd is not None: f.write("%s\n" % passwd) else: -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password()) f.close() self.set_perms(self.passwd_fname) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index f4856c7..b2a569a 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -18,7 +18,6 @@ # import base64 -import binascii import ldap import os import shutil @@ -428,7 +427,7 @@ def __add_admin_to_group(self, group): def setup_admin(self): self.admin_user = "admin-%s" % self.fqdn -self.admin_password = binascii.hexlify(os.urandom(16)) +self.admin_password = ipautil.ipa_generate_password(pwd_len=16) self.admin_dn = DN(('uid', self.admin_user), ('ou', 'people'), ('o', 'ipaca')) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 1be5ac7..09708dc 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -506,7 +506,7 @@ def __setup_sub_dict(self): idrange_size = None self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid, PASSWORD=self.dm_password, - RANDOM_PASSWORD=self.generate_random(), + RANDOM_PASSWORD=ipautil.ipa_generate_password(), SUFFIX=self.suffix, REALM=self.realm, USER=DS_USER, SERVER_ROOT=server_root, DOMAIN=self.domain, @@ -773,9 +773,6 @@ def __host_nis_groups(self): def __add_enrollment_module(self): self._ldap_mod("enrollment-conf.ldif", self.sub_dict) -def generate_random(self): -return ipautil.ipa_generate_password() - def __enable_ssl(self): dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 15c3107..e822b3c 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,7 +19,6 @@ from __future__ import print_function -import binascii import os import os.path import pwd @@ -314,9 +313,9 @@ def create_cert_db(self): ipautil.backup_file(nss_path) # Create the password file for this db -hex_str = binascii.hexlify(os.urandom(10)) +passwo
[Freeipa-devel] [freeipa PR#316][opened] Fix error in permission-find post_callback search
URL: https://github.com/freeipa/freeipa/pull/316 Author: stlaz Title: #316: Fix error in permission-find post_callback search Action: opened PR body: """ This pull requests fixes a bug introduced when fixing a different issue in https://github.com/freeipa/freeipa/commit/29aa4877eec89894cc3a6e50c4b6817a713d3177 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/316/head:pr316 git checkout pr316 From 209a62febff8ae835cf6bb74c5a00e8a817078d7 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 7 Dec 2016 11:51:19 +0100 Subject: [PATCH 1/2] Generalize filter generation in LDAPSearch Make it easier to generate search filters properly and in a unified way in any inheriting method https://fedorahosted.org/freeipa/ticket/5640 --- ipaserver/plugins/baseldap.py | 54 +++ 1 file changed, 34 insertions(+), 20 deletions(-) diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py index 5770641..9d6bfc7 100644 --- a/ipaserver/plugins/baseldap.py +++ b/ipaserver/plugins/baseldap.py @@ -1922,6 +1922,38 @@ def get_options(self): for option in self.get_member_options(attr): yield option +def get_attr_filter(self, ldap, **options): +""" +Returns a MATCH_ALL filter containing all required attributes from the +options +""" +search_kw = self.args_options_2_entry(**options) +search_kw['objectclass'] = self.obj.object_class +return ldap.make_filter(search_kw, rules=ldap.MATCH_ALL) + +def get_term_filter(self, ldap, term): +""" +Returns a filter to search for a value (term) in any of the +search attributes of an entry. +""" +if self.obj.search_attributes: +search_attrs = self.obj.search_attributes +else: +search_attrs = self.obj.default_attributes +if self.obj.search_attributes_config: +config = ldap.get_ipa_config() +config_attrs = config.get( +self.obj.search_attributes_config, []) +if len(config_attrs) == 1 and ( + isinstance(config_attrs[0], six.string_types)): +search_attrs = config_attrs[0].split(',') + +search_kw = {} +for a in search_attrs: +search_kw[a] = term + +return ldap.make_filter(search_kw, exact=False) + def get_member_filter(self, ldap, **options): filter = '' for attr in self.member_attributes: @@ -1981,26 +2013,8 @@ def execute(self, *args, **options): attrs_list.difference_update(self.obj.attribute_members) attrs_list = list(attrs_list) -if self.obj.search_attributes: -search_attrs = self.obj.search_attributes -else: -search_attrs = self.obj.default_attributes -if self.obj.search_attributes_config: -config = ldap.get_ipa_config() -config_attrs = config.get( -self.obj.search_attributes_config, []) -if len(config_attrs) == 1 and ( -isinstance(config_attrs[0], six.string_types)): -search_attrs = config_attrs[0].split(',') - -search_kw['objectclass'] = self.obj.object_class -attr_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL) - -search_kw = {} -for a in search_attrs: -search_kw[a] = term -term_filter = ldap.make_filter(search_kw, exact=False) - +attr_filter = self.get_attr_filter(ldap, **options) +term_filter = self.get_term_filter(ldap, term) member_filter = self.get_member_filter(ldap, **options) filter = ldap.combine_filters( From 0ffd604e30c66235af86c6bb76105ef210ceb80f Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 7 Dec 2016 11:53:31 +0100 Subject: [PATCH 2/2] Fix permission-find with sizelimit set If permission-find is fired with an argument and sizelimit set a message about truncation will be sent along with the result as the search in post_callback() does general search instead of having its filter properly set. https://fedorahosted.org/freeipa/ticket/5640 --- ipaserver/plugins/permission.py | 7 +++ 1 file changed, 7 insertions(+) diff --git a/ipaserver/plugins/permission.py b/ipaserver/plugins/permission.py index 0bd75b0..dd2a018 100644 --- a/ipaserver/plugins/permission.py +++ b/ipaserver/plugins/permission.py @@ -1306,6 +1306,13 @@ def post_callback(self, ldap, entries, truncated, *args, **options): filters.append(ldap.make_filter_from_attr('cn', options['name'], exact=False)) +
[Freeipa-devel] [freeipa PR#293][+ack] Run out-of-tree tests in Travis CI
URL: https://github.com/freeipa/freeipa/pull/293 Title: #293: Run out-of-tree tests in Travis CI Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#293][comment] Run out-of-tree tests in Travis CI
URL: https://github.com/freeipa/freeipa/pull/293 Title: #293: Run out-of-tree tests in Travis CI stlaz commented: """ Good. I see the tests pass now and both @tiran's nitpicks and @mbasti-rh's comment have been resolved, so an ACK is in order. """ See the full comment at https://github.com/freeipa/freeipa/pull/293#issuecomment-265398313 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#293][comment] Run out-of-tree tests in Travis CI
URL: https://github.com/freeipa/freeipa/pull/293 Title: #293: Run out-of-tree tests in Travis CI stlaz commented: """ Since I recently run into issues with ipa-server-install and low entropy somewhere around creation of kdb proxy which drastically increased install time, would it make sense to install haveged atop of our rpms to possibly mitigate the problem? """ See the full comment at https://github.com/freeipa/freeipa/pull/293#issuecomment-264906938 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#276][+ack] replica-conncheck: improve error msg + logging
URL: https://github.com/freeipa/freeipa/pull/276 Title: #276: replica-conncheck: improve error msg + logging Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#276][comment] replica-conncheck: improve error msg + logging
URL: https://github.com/freeipa/freeipa/pull/276 Title: #276: replica-conncheck: improve error msg + logging stlaz commented: """ Seems to work fine, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/276#issuecomment-264793827 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#276][comment] replica-conncheck: improve error msg + logging
URL: https://github.com/freeipa/freeipa/pull/276 Title: #276: replica-conncheck: improve error msg + logging stlaz commented: """ Needs rebase. """ See the full comment at https://github.com/freeipa/freeipa/pull/276#issuecomment-264432666 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#278][+ack] Restore the original functionality of `env` and `plugins` commands
URL: https://github.com/freeipa/freeipa/pull/278 Title: #278: Restore the original functionality of `env` and `plugins` commands Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#278][comment] Restore the original functionality of `env` and `plugins` commands
URL: https://github.com/freeipa/freeipa/pull/278 Title: #278: Restore the original functionality of `env` and `plugins` commands stlaz commented: """ `env` works as expected, `plugins` seems to fail as expected. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/278#issuecomment-264421876 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#295][comment] Issue6474 fixups
URL: https://github.com/freeipa/freeipa/pull/295 Title: #295: Issue6474 fixups stlaz commented: """ Good :) The tests seem to pass, the changes are trivial, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/295#issuecomment-264207266 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#295][+ack] Issue6474 fixups
URL: https://github.com/freeipa/freeipa/pull/295 Title: #295: Issue6474 fixups Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#295][comment] Issue6474 fixups
URL: https://github.com/freeipa/freeipa/pull/295 Title: #295: Issue6474 fixups stlaz commented: """ There are some more ipaplatform imports left, some in test_xmlrpc, test_webui, test_install and test_cmdline (of which I think may interest you). Is it ok these are left there? """ See the full comment at https://github.com/freeipa/freeipa/pull/295#issuecomment-264196326 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient stlaz commented: """ The patch's already been pushed, could you, @mbasti-rh, supply the automated message? """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263808153 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][+pushed] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient stlaz commented: """ Last I checked the ticket was still open. The ticket was trying to solve the same issue as this PR although its aim shifted (see the link I posted in the comments). """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263576832 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#282][opened] replicainstall: give correct error message on DL mismatch
URL: https://github.com/freeipa/freeipa/pull/282 Author: stlaz Title: #282: replicainstall: give correct error message on DL mismatch Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6510 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/282/head:pr282 git checkout pr282 From 88eef020e93b7f23c7de0a2f8a3bd3611395bf61 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 29 Nov 2016 14:08:19 +0100 Subject: [PATCH] replicainstall: give correct error message on DL mismatch https://fedorahosted.org/freeipa/ticket/6510 --- ipaserver/install/server/replicainstall.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index a7b333c..0f45bea 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -557,7 +557,7 @@ def check_domain_level(api, expected): # available current = constants.DOMAIN_LEVEL_0 -if expected == constants.DOMAIN_LEVEL_0: +if current == constants.DOMAIN_LEVEL_0: message = ( "You must provide a file generated by ipa-replica-prepare to " "create a replica when the domain is at level 0." -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][+ack] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient stlaz commented: """ I checked the rebase again as well as ran the tests. The changes in the PR clean the code nicely aside from doing what's proposed in the given ticket. The issues from CI and QuantifiedCode are only caused by moving the code in between modules. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-263548530 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#266][comment] ipapython: simplify Env object initialization
URL: https://github.com/freeipa/freeipa/pull/266 Title: #266: ipapython: simplify Env object initialization stlaz commented: """ This PR breaks almost all tests in test_ipalib/test_crud.py with `AttributeError: 'API' object has no attribute 'env'`. This error can be observed in some other tests: http://pastebin.com/8EjE2QVS (please disregard the DNS tests failures). """ See the full comment at https://github.com/freeipa/freeipa/pull/266#issuecomment-263532334 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#266][comment] ipapython: simplify Env object initialization
URL: https://github.com/freeipa/freeipa/pull/266 Title: #266: ipapython: simplify Env object initialization stlaz commented: """ From offline discussion I got that the PR should actually work in the end. I'll make the review. """ See the full comment at https://github.com/freeipa/freeipa/pull/266#issuecomment-263503377 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#101][comment] Improved vault-show error message
URL: https://github.com/freeipa/freeipa/pull/101 Title: #101: Improved vault-show error message stlaz commented: """ WONTFIX then. There's no winning here. """ See the full comment at https://github.com/freeipa/freeipa/pull/101#issuecomment-263265074 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#101][synchronized] Improved vault-show error message
URL: https://github.com/freeipa/freeipa/pull/101 Author: stlaz Title: #101: Improved vault-show error message Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/101/head:pr101 git checkout pr101 From fd39db9f8263ffbfd41791fffaf4514d9ce01953 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 25 Nov 2016 15:46:29 +0100 Subject: [PATCH 1/2] Added kwargs to handle_not_found method Adding kwargs allows invocation options to be passed to handle_not_found() to improve 'Not found' messages. https://fedorahosted.org/freeipa/ticket/5950 --- ipaserver/plugins/automount.py | 2 +- ipaserver/plugins/baseldap.py | 23 --- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/ipaserver/plugins/automount.py b/ipaserver/plugins/automount.py index c4cf2d6..a5be853 100644 --- a/ipaserver/plugins/automount.py +++ b/ipaserver/plugins/automount.py @@ -568,7 +568,7 @@ def get_dn(self, *keys, **kwargs): return dn -def handle_not_found(self, *keys): +def handle_not_found(self, *keys, **kwargs): pkey = keys[-1] key = pkey.split(self.rdn_separator)[0] info = self.rdn_separator.join(pkey.split(self.rdn_separator)[1:]) diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py index 5770641..66b555e 100644 --- a/ipaserver/plugins/baseldap.py +++ b/ipaserver/plugins/baseldap.py @@ -750,7 +750,7 @@ def get_password_attributes(self, ldap, dn, entry_attrs): except errors.NotFound: entry_attrs[attr] = False -def handle_not_found(self, *keys): +def handle_not_found(self, *keys, **kwargs): pkey = '' if self.primary_key: pkey = keys[-1] @@ -1013,7 +1013,7 @@ def process_attr_options(self, entry_attrs, dn, keys, options): dn, needldapattrs ) except errors.NotFound: -self.obj.handle_not_found(*keys) +self.obj.handle_not_found(*keys, **options) # Provide a nice error message when user tries to delete an # attribute that does not exist on the entry (and user is not @@ -1218,7 +1218,7 @@ def execute(self, *keys, **options): entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)( entry_attrs.dn, attrs_list) except errors.NotFound: -self.obj.handle_not_found(*keys) +self.obj.handle_not_found(*keys, **options) self.obj.get_indirect_members(entry_attrs, attrs_list) @@ -1318,7 +1318,7 @@ def execute(self, *keys, **options): dn, attrs_list ) except errors.NotFound: -self.obj.handle_not_found(*keys) +self.obj.handle_not_found(*keys, **options) self.obj.get_indirect_members(entry_attrs, attrs_list) @@ -1459,7 +1459,7 @@ def execute(self, *keys, **options): if not rdnupdate: raise e except errors.NotFound: -self.obj.handle_not_found(*keys) +self.obj.handle_not_found(*keys, **options) try: entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)( @@ -1540,12 +1540,12 @@ def delete_subtree(base_dn): try: self._exc_wrapper(nkeys, options, ldap.delete_entry)(base_dn) except errors.NotFound: -self.obj.handle_not_found(*nkeys) +self.obj.handle_not_found(*nkeys, **options) try: self._exc_wrapper(nkeys, options, ldap.delete_entry)(dn) except errors.NotFound: -self.obj.handle_not_found(*nkeys) +self.obj.handle_not_found(*nkeys, **options) except errors.NotAllowedOnNonLeaf: if not self.subtree_delete: raise @@ -1702,7 +1702,7 @@ def execute(self, *keys, **options): dn, attrs_list ) except errors.NotFound: -self.obj.handle_not_found(*keys) +self.obj.handle_not_found(*keys, **options) self.obj.get_indirect_members(entry_attrs, attrs_list) @@ -1803,7 +1803,7 @@ def execute(self, *keys, **options): dn, attrs_list ) except errors.NotFound: -self.obj.handle_not_found(*keys) +self.obj.handle_not_found(*keys, **options) self.obj.get_indirect_members(entry_attrs, attrs_list) @@ -2022,7 +2022,8 @@ def execute(self, *args, **options): except errors.EmptyResult: (entries, truncated) = ([], False) except errors.NotFound: -self.api.Object[self.obj.parent_object].handle_not_found(*keys) +self.api.Object[self.obj.parent_object].handle_not_found( +*keys, **options) for ca
[Freeipa-devel] [freeipa PR#101][synchronized] Improved vault-show error message
URL: https://github.com/freeipa/freeipa/pull/101 Author: stlaz Title: #101: Improved vault-show error message Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/101/head:pr101 git checkout pr101 From fd39db9f8263ffbfd41791fffaf4514d9ce01953 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 25 Nov 2016 15:46:29 +0100 Subject: [PATCH 1/2] Added kwargs to handle_not_found method Adding kwargs allows invocation options to be passed to handle_not_found() to improve 'Not found' messages. https://fedorahosted.org/freeipa/ticket/5950 --- ipaserver/plugins/automount.py | 2 +- ipaserver/plugins/baseldap.py | 23 --- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/ipaserver/plugins/automount.py b/ipaserver/plugins/automount.py index c4cf2d6..a5be853 100644 --- a/ipaserver/plugins/automount.py +++ b/ipaserver/plugins/automount.py @@ -568,7 +568,7 @@ def get_dn(self, *keys, **kwargs): return dn -def handle_not_found(self, *keys): +def handle_not_found(self, *keys, **kwargs): pkey = keys[-1] key = pkey.split(self.rdn_separator)[0] info = self.rdn_separator.join(pkey.split(self.rdn_separator)[1:]) diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py index 5770641..66b555e 100644 --- a/ipaserver/plugins/baseldap.py +++ b/ipaserver/plugins/baseldap.py @@ -750,7 +750,7 @@ def get_password_attributes(self, ldap, dn, entry_attrs): except errors.NotFound: entry_attrs[attr] = False -def handle_not_found(self, *keys): +def handle_not_found(self, *keys, **kwargs): pkey = '' if self.primary_key: pkey = keys[-1] @@ -1013,7 +1013,7 @@ def process_attr_options(self, entry_attrs, dn, keys, options): dn, needldapattrs ) except errors.NotFound: -self.obj.handle_not_found(*keys) +self.obj.handle_not_found(*keys, **options) # Provide a nice error message when user tries to delete an # attribute that does not exist on the entry (and user is not @@ -1218,7 +1218,7 @@ def execute(self, *keys, **options): entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)( entry_attrs.dn, attrs_list) except errors.NotFound: -self.obj.handle_not_found(*keys) +self.obj.handle_not_found(*keys, **options) self.obj.get_indirect_members(entry_attrs, attrs_list) @@ -1318,7 +1318,7 @@ def execute(self, *keys, **options): dn, attrs_list ) except errors.NotFound: -self.obj.handle_not_found(*keys) +self.obj.handle_not_found(*keys, **options) self.obj.get_indirect_members(entry_attrs, attrs_list) @@ -1459,7 +1459,7 @@ def execute(self, *keys, **options): if not rdnupdate: raise e except errors.NotFound: -self.obj.handle_not_found(*keys) +self.obj.handle_not_found(*keys, **options) try: entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)( @@ -1540,12 +1540,12 @@ def delete_subtree(base_dn): try: self._exc_wrapper(nkeys, options, ldap.delete_entry)(base_dn) except errors.NotFound: -self.obj.handle_not_found(*nkeys) +self.obj.handle_not_found(*nkeys, **options) try: self._exc_wrapper(nkeys, options, ldap.delete_entry)(dn) except errors.NotFound: -self.obj.handle_not_found(*nkeys) +self.obj.handle_not_found(*nkeys, **options) except errors.NotAllowedOnNonLeaf: if not self.subtree_delete: raise @@ -1702,7 +1702,7 @@ def execute(self, *keys, **options): dn, attrs_list ) except errors.NotFound: -self.obj.handle_not_found(*keys) +self.obj.handle_not_found(*keys, **options) self.obj.get_indirect_members(entry_attrs, attrs_list) @@ -1803,7 +1803,7 @@ def execute(self, *keys, **options): dn, attrs_list ) except errors.NotFound: -self.obj.handle_not_found(*keys) +self.obj.handle_not_found(*keys, **options) self.obj.get_indirect_members(entry_attrs, attrs_list) @@ -2022,7 +2022,8 @@ def execute(self, *args, **options): except errors.EmptyResult: (entries, truncated) = ([], False) except errors.NotFound: -self.api.Object[self.obj.parent_object].handle_not_found(*keys) +self.api.Object[self.obj.parent_object].handle_not_found( +*keys, **options) for ca
[Freeipa-devel] [freeipa PR#101][comment] Improved vault-show error message
URL: https://github.com/freeipa/freeipa/pull/101 Title: #101: Improved vault-show error message stlaz commented: """ Seems like nobody objected so far. """ See the full comment at https://github.com/freeipa/freeipa/pull/101#issuecomment-262971504 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#252][comment] Use namespace-aware meta importer for ipaplatform
URL: https://github.com/freeipa/freeipa/pull/252 Title: #252: Use namespace-aware meta importer for ipaplatform stlaz commented: """ It is not AFAIK. I noted that in https://fedorahosted.org/freeipa/ticket/6474 comment and there's also discussion about this in https://github.com/freeipa/freeipa/pull/271. Closing this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/252#issuecomment-262951316 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient stlaz commented: """ @jcholast Thanks, I'll add it as a comment to that ticket so that it's more visible to a potential community :) @tiran I already did the review, the conflicts are very easily resolvable (ntpconf was moved, two functions are moved from ipa_replica_prepare.) I can see where you're heading and I guess it'd be better to split the PR for the future, although I prefer 1 PR for 1 ticket if that is doable and it is in this case. Can you please rather check if it matches your use-case and bless this PR with functional ACK so that we can get it pushed? edit: Removed the LGTM till the outlined necessary issues are fixed, I expect that to come with the rebase. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-262936876 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient stlaz commented: """ @jcholast Thanks, I'll add it as a comment to that ticket so that it's more visible to a potential community :) + LGTM @tiran I already did the review, the conflicts are very easily resolvable (ntpconf was moved, two functions are moved from ipa_replica_prepare.) I can see where you're heading and I guess it'd be better to split the PR for the future, although I prefer 1 PR for 1 ticket if that is doable and it is in this case. Can you please rather check if it matches your use-case and bless this PR with functional ACK so that we can get it pushed? """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-262936876 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#231][synchronized] Do not log DM password in ca/kra installation logs
URL: https://github.com/freeipa/freeipa/pull/231 Author: stlaz Title: #231: Do not log DM password in ca/kra installation logs Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/231/head:pr231 git checkout pr231 From 630ffb267f465921cdacf21f0884addd42778bae Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 10 Nov 2016 14:24:26 +0100 Subject: [PATCH] Do not log DM password in ca/kra installation logs https://fedorahosted.org/freeipa/ticket/6461 --- ipaserver/install/cainstance.py | 5 - ipaserver/install/dogtaginstance.py | 12 +++- ipaserver/install/krainstance.py| 5 - 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1c31281..90b4349 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -576,7 +576,10 @@ def __spawn_instance(self): self.backup_state('installed', True) try: -DogtagInstance.spawn_instance(self, cfg_file) +DogtagInstance.spawn_instance( +self, cfg_file, +nolog_list=(self.dm_password, self.admin_password) +) finally: os.remove(cfg_file) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index cbe3e43..6d6f0c5 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -150,19 +150,13 @@ def is_installed(self): return os.path.exists(os.path.join( paths.VAR_LIB_PKI_TOMCAT_DIR, self.subsystem.lower())) -def spawn_instance(self, cfg_file, nolog_list=None): +def spawn_instance(self, cfg_file, nolog_list=()): """ Create and configure a new Dogtag instance using pkispawn. Passes in a configuration file with IPA-specific parameters. """ subsystem = self.subsystem - -# Define the things we don't want logged -if nolog_list is None: -nolog_list = [] -nolog = tuple(nolog_list) + (self.admin_password,) - args = [paths.PKISPAWN, "-s", subsystem, "-f", cfg_file] @@ -170,10 +164,10 @@ def spawn_instance(self, cfg_file, nolog_list=None): with open(cfg_file) as f: self.log.debug( 'Contents of pkispawn configuration file (%s):\n%s', -cfg_file, ipautil.nolog_replace(f.read(), nolog)) +cfg_file, ipautil.nolog_replace(f.read(), nolog_list)) try: -ipautil.run(args, nolog=nolog) +ipautil.run(args, nolog=nolog_list) except ipautil.CalledProcessError as e: self.handle_setup_error(e) diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 77f23c1..5363ec2 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -257,7 +257,10 @@ def __spawn_instance(self): config.write(f) try: -DogtagInstance.spawn_instance(self, cfg_file) +DogtagInstance.spawn_instance( +self, cfg_file, +nolog_list=(self.dm_password, self.admin_password) +) finally: os.remove(p12_tmpfile_name) os.remove(cfg_file) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#231][comment] Do not log DM password in ca/kra installation logs
URL: https://github.com/freeipa/freeipa/pull/231 Title: #231: Do not log DM password in ca/kra installation logs stlaz commented: """ @martbab Oh, I thought you wanted me to re-add `dm_password` to DogtagInstance as @tomaskrizek which does not seem right as DogtagInstance is in no position to decide what to log and what not as it does not really know what's in that cfg_file it's getting. Will get it passed from the actual caller of `spawn_instance` which is either cainstance or krainstance. """ See the full comment at https://github.com/freeipa/freeipa/pull/231#issuecomment-262174051 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#212][+ack] KRA: don't add KRA container when KRA replica
URL: https://github.com/freeipa/freeipa/pull/212 Title: #212: KRA: don't add KRA container when KRA replica Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#212][comment] KRA: don't add KRA container when KRA replica
URL: https://github.com/freeipa/freeipa/pull/212 Title: #212: KRA: don't add KRA container when KRA replica stlaz commented: """ ACK, works on both DLs. """ See the full comment at https://github.com/freeipa/freeipa/pull/212#issuecomment-261890178 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#231][comment] Do not log DM password in ca/kra installation logs
URL: https://github.com/freeipa/freeipa/pull/231 Title: #231: Do not log DM password in ca/kra installation logs stlaz commented: """ I must have misclicked "close" when viewing this PR on my phone. I believe we may rather add admin and DM passwords to the nolog_list at the point where the disclosed credentials file is created so that we avoid problems like this one in the future. """ See the full comment at https://github.com/freeipa/freeipa/pull/231#issuecomment-261550522 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#231][reopened] Do not log DM password in ca/kra installation logs
URL: https://github.com/freeipa/freeipa/pull/231 Author: stlaz Title: #231: Do not log DM password in ca/kra installation logs Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/231/head:pr231 git checkout pr231 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#231][closed] Do not log DM password in ca/kra installation logs
URL: https://github.com/freeipa/freeipa/pull/231 Author: stlaz Title: #231: Do not log DM password in ca/kra installation logs Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/231/head:pr231 git checkout pr231 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#235][comment] Remove unused Knob function
URL: https://github.com/freeipa/freeipa/pull/235 Title: #235: Remove unused Knob function stlaz commented: """ From our offline discussion I got the impression the Knob function was still used somewhere, therefore the ACK. I'm not sure what was the reason of keeping Knob there even if unused, you may need checking with @jcholast. """ See the full comment at https://github.com/freeipa/freeipa/pull/235#issuecomment-260173516 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#235][+ack] Make Knob function deprecated
URL: https://github.com/freeipa/freeipa/pull/235 Title: #235: Make Knob function deprecated Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#235][comment] Make Knob function deprecated
URL: https://github.com/freeipa/freeipa/pull/235 Title: #235: Make Knob function deprecated stlaz commented: """ ACK, there should be note about this deprecation somewhere. Deleting Knob might be worth a ticket as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/235#issuecomment-259981300 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#212][comment] KRA: don't add KRA container when KRA replica
URL: https://github.com/freeipa/freeipa/pull/212 Title: #212: KRA: don't add KRA container when KRA replica stlaz commented: """ configure_instance and configure_replica codes were merged, you'll need to check for self.clone value instead. """ See the full comment at https://github.com/freeipa/freeipa/pull/212#issuecomment-259947987 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#231][opened] Do not log DM password in ca/kra installation logs
URL: https://github.com/freeipa/freeipa/pull/231 Author: stlaz Title: #231: Do not log DM password in ca/kra installation logs Action: opened PR body: """ We can merge this after refactoring merges not to mess the rebases. https://fedorahosted.org/freeipa/ticket/6461 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/231/head:pr231 git checkout pr231 From d40d3e9bc5c0cccbd172ae4480316c13f3bf82f7 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 10 Nov 2016 14:24:26 +0100 Subject: [PATCH] Do not log DM password in ca/kra installation logs https://fedorahosted.org/freeipa/ticket/6461 --- ipaserver/install/cainstance.py | 3 ++- ipaserver/install/krainstance.py | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1c31281..ed5ac9e 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -576,7 +576,8 @@ def __spawn_instance(self): self.backup_state('installed', True) try: -DogtagInstance.spawn_instance(self, cfg_file) +DogtagInstance.spawn_instance(self, cfg_file, + nolog_list=[self.dm_password]) finally: os.remove(cfg_file) diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 77f23c1..e749c73 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -257,7 +257,8 @@ def __spawn_instance(self): config.write(f) try: -DogtagInstance.spawn_instance(self, cfg_file) +DogtagInstance.spawn_instance(self, cfg_file, + nolog_list=[self.dm_password]) finally: os.remove(p12_tmpfile_name) os.remove(cfg_file) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#201][+ack] spec file: bump minimal required version of 389-ds-base
URL: https://github.com/freeipa/freeipa/pull/201 Title: #201: spec file: bump minimal required version of 389-ds-base Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#201][comment] spec file: bump minimal required version of 389-ds-base
URL: https://github.com/freeipa/freeipa/pull/201 Title: #201: spec file: bump minimal required version of 389-ds-base stlaz commented: """ ACK """ See the full comment at https://github.com/freeipa/freeipa/pull/201#issuecomment-257535867 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#199][opened] [ipa-4-4] Fix missing file that fails DL1 replica installation
URL: https://github.com/freeipa/freeipa/pull/199 Author: stlaz Title: #199: [ipa-4-4] Fix missing file that fails DL1 replica installation Action: opened PR body: """ Replica installation on DL1 would fail to create a httpd instance due to missing '/etc/httpd/alias/cacert.asc'. Create this file in the setup_ssl step to avoid the error. https://fedorahosted.org/freeipa/ticket/6393 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/199/head:pr199 git checkout pr199 From 35a53216b5230c8fab5ede0932f840ac5d884ef1 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Mon, 31 Oct 2016 16:51:49 +0100 Subject: [PATCH] Fix missing file that fails DL1 replica installation Replica installation on DL1 would fail to create a httpd instance due to missing '/etc/httpd/alias/cacert.asc'. Create this file in the setup_ssl step to avoid the error. https://fedorahosted.org/freeipa/ticket/6393 --- ipaserver/install/httpinstance.py | 25 + 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 7914f4c..726d5a4 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -345,14 +345,23 @@ def __setup_ssl(self): self.__set_mod_nss_nickname(nickname) self.add_cert_to_service() -elif not self.promote: -db.create_password_conf() -self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn, - ca_db) -db.track_server_cert(self.cert_nickname, self.principal, - db.passwd_fname, 'restart_httpd') -db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db) -self.add_cert_to_service() +else: +if not self.promote: +db.create_password_conf() +self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn, + ca_db) +db.track_server_cert(self.cert_nickname, self.principal, + db.passwd_fname, 'restart_httpd') +db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db) +self.add_cert_to_service() + +server_certs = db.find_server_certs() +if not server_certs: +raise RuntimeError("Could not find a suitable server cert.") + +# We only handle one server cert +nickname = server_certs[0][0] +db.export_ca_cert(nickname) # Fix the database permissions os.chmod(certs.NSS_DIR + "/cert8.db", 0o660) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#198][synchronized] Fix missing file that fails DL1 replica installation
URL: https://github.com/freeipa/freeipa/pull/198 Author: stlaz Title: #198: Fix missing file that fails DL1 replica installation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/198/head:pr198 git checkout pr198 From 1bb1a41dff63c09bbe03ff6dc3d63fcd26078630 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Mon, 31 Oct 2016 16:51:49 +0100 Subject: [PATCH] Fix missing file that fails DL1 replica installation Replica installation on DL1 would fail to create a httpd instance due to missing '/etc/httpd/alias/cacert.asc'. Create this file in the setup_ssl step to avoid the error. https://fedorahosted.org/freeipa/ticket/6393 --- ipaserver/install/httpinstance.py | 23 --- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 5c56f11..decf996 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -340,13 +340,22 @@ def __setup_ssl(self): self.__set_mod_nss_nickname(nickname) self.add_cert_to_service() -elif not self.promote: -db.create_password_conf() -self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn, - ca_db) -db.track_server_cert(self.cert_nickname, self.principal, - db.passwd_fname, 'restart_httpd') -self.add_cert_to_service() +else: +if not self.promote: +db.create_password_conf() +self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn, + ca_db) +db.track_server_cert(self.cert_nickname, self.principal, + db.passwd_fname, 'restart_httpd') +self.add_cert_to_service() + +server_certs = db.find_server_certs() +if not server_certs: +raise RuntimeError("Could not find a suitable server cert.") + +# We only handle one server cert +nickname = server_certs[0][0] +db.export_ca_cert(nickname) # Fix the database permissions os.chmod(certs.NSS_DIR + "/cert8.db", 0o660) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#198][edited] Fix missing file that fails DL1 replica installation
URL: https://github.com/freeipa/freeipa/pull/198 Author: stlaz Title: #198: Fix missing file that fails DL1 replica installation Action: edited Changed field: body Original value: """ Replica installation on DL1 would fail to create a httpd instance due to missing '/etc/httpd/alias/cacert.asc'. Create this file in the setup_ssl step to avoid the error. https://fedorahosted.org/freeipa/ticket/6442 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#198][opened] Fix missing file that fails DL1 replica installation
URL: https://github.com/freeipa/freeipa/pull/198 Author: stlaz Title: #198: Fix missing file that fails DL1 replica installation Action: opened PR body: """ Replica installation on DL1 would fail to create a httpd instance due to missing '/etc/httpd/alias/cacert.asc'. Create this file in the setup_ssl step to avoid the error. https://fedorahosted.org/freeipa/ticket/6442 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/198/head:pr198 git checkout pr198 From 26b2e1c6d03035d6cafa329949cb74445aa0ffe7 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Mon, 31 Oct 2016 16:51:49 +0100 Subject: [PATCH] Fix missing file that fails DL1 replica installation Replica installation on DL1 would fail to create a httpd instance due to missing '/etc/httpd/alias/cacert.asc'. Create this file in the setup_ssl step to avoid the error. https://fedorahosted.org/freeipa/ticket/6442 --- ipaserver/install/httpinstance.py | 23 --- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 5c56f11..8401634 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -340,13 +340,22 @@ def __setup_ssl(self): self.__set_mod_nss_nickname(nickname) self.add_cert_to_service() -elif not self.promote: -db.create_password_conf() -self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn, - ca_db) -db.track_server_cert(self.cert_nickname, self.principal, - db.passwd_fname, 'restart_httpd') -self.add_cert_to_service() +else: +if not self.promote: +db.create_password_conf() +self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn, + ca_db) +db.track_server_cert(self.cert_nickname, self.principal, + db.passwd_fname, 'restart_httpd') +self.add_cert_to_service() + +server_certs = db.find_server_certs() +if len(server_certs) == 0: +raise RuntimeError("Could not find a suitable server cert.") + +# We only handle one server cert +nickname = server_certs[0][0] +db.export_ca_cert(nickname) # Fix the database permissions os.chmod(certs.NSS_DIR + "/cert8.db", 0o660) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#188][comment] Move Python build artefacts to top level directory
URL: https://github.com/freeipa/freeipa/pull/188 Title: #188: Move Python build artefacts to top level directory stlaz commented: """ +1 with @pspacek, build artefacts should be in the same directory as is their source. I would like to have them removed on `make clean` if that does not currently work. """ See the full comment at https://github.com/freeipa/freeipa/pull/188#issuecomment-256583611 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#193][opened] [ipa-4-4] Make httpd publish its CA certificate on DL1
URL: https://github.com/freeipa/freeipa/pull/193 Author: stlaz Title: #193: [ipa-4-4] Make httpd publish its CA certificate on DL1 Action: opened PR body: """ httpd did not publish its certificate on DL1 which could cause issues during client installation in a rare corner case where there would be no way of getting the certificate but from a HTTP instance. https://fedorahosted.org/freeipa/ticket/6393 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/193/head:pr193 git checkout pr193 From 6791beb8cb71311c36bac72db9467079e571fbbd Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 11 Oct 2016 15:48:47 +0200 Subject: [PATCH] Make httpd publish its CA certificate on DL1 httpd did not publish its certificate on DL1 which could cause issues during client installation in a rare corner case where there would be no way of getting the certificate but from a HTTP instance. https://fedorahosted.org/freeipa/ticket/6393 --- ipaserver/install/httpinstance.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 7914f4c..da46f4d 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -175,8 +175,7 @@ def create_instance(self, realm, fqdn, domain_name, dm_password=None, self.step("importing CA certificates from LDAP", self.__import_ca_certs) if autoconfig: self.step("setting up browser autoconfig", self.__setup_autoconfig) -if not self.promote: -self.step("publish CA cert", self.__publish_ca_cert) +self.step("publish CA cert", self.__publish_ca_cert) self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) if not self.is_kdcproxy_configured(): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#151][synchronized] Make httpd publish its CA certificate on DL1
URL: https://github.com/freeipa/freeipa/pull/151 Author: stlaz Title: #151: Make httpd publish its CA certificate on DL1 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/151/head:pr151 git checkout pr151 From f71bb9e91758072d8c4c7c695f859ac6d4807242 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 11 Oct 2016 15:48:47 +0200 Subject: [PATCH] Make httpd publish its CA certificate on DL1 httpd did not publish its certificate on DL1 which could cause issues during client installation in a rare corner case where there would be no way of getting the certificate but from a HTTP instance. https://fedorahosted.org/freeipa/ticket/6393 --- ipaserver/install/httpinstance.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 60d62c0..b102c82 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -171,8 +171,7 @@ def create_instance(self, realm, fqdn, domain_name, dm_password=None, self.step("setting up httpd keytab", self.__create_http_keytab) self.step("setting up ssl", self.__setup_ssl) self.step("importing CA certificates from LDAP", self.__import_ca_certs) -if not self.promote: -self.step("publish CA cert", self.__publish_ca_cert) +self.step("publish CA cert", self.__publish_ca_cert) self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) if not self.is_kdcproxy_configured(): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#159][comment] spec file: clean up BuildRequires
URL: https://github.com/freeipa/freeipa/pull/159 Title: #159: spec file: clean up BuildRequires stlaz commented: """ @martbab Thanks, that worked. However, first set of patches was not yet ACKed in https://github.com/freeipa/freeipa/pull/171. """ See the full comment at https://github.com/freeipa/freeipa/pull/159#issuecomment-254843561 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#159][-ack] spec file: clean up BuildRequires
URL: https://github.com/freeipa/freeipa/pull/159 Title: #159: spec file: clean up BuildRequires Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#159][comment] spec file: clean up BuildRequires
URL: https://github.com/freeipa/freeipa/pull/159 Title: #159: spec file: clean up BuildRequires stlaz commented: """ @martbab Thanks, that worked. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/159#issuecomment-254843561 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#159][+ack] spec file: clean up BuildRequires
URL: https://github.com/freeipa/freeipa/pull/159 Title: #159: spec file: clean up BuildRequires Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#171][comment] Build system cleanup phase 2
URL: https://github.com/freeipa/freeipa/pull/171 Title: #171: Build system cleanup phase 2 stlaz commented: """ +1 to push, the comments were added to outdated diffs so I thought them resolved. They are now. """ See the full comment at https://github.com/freeipa/freeipa/pull/171#issuecomment-254800566 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#159][comment] spec file: clean up BuildRequires
URL: https://github.com/freeipa/freeipa/pull/159 Title: #159: spec file: clean up BuildRequires stlaz commented: """ For some reason, after running `sudo dnf builddep freeipa.spec`, which is successful, if I run the same command again, if fails: ``` [login@vm freeipa-git]$ sudo dnf builddep --spec freeipa.spec Last metadata expiration check: 0:23:03 ago on Wed Oct 19 13:53:25 2016. Failed to open: 'freeipa.spec', not a valid spec file. Error: Some packages could not be found. ``` Adding `-v` or `-d 10` options did not provide any more useful output about this error. This may possibly be a dnf bug. """ See the full comment at https://github.com/freeipa/freeipa/pull/159#issuecomment-254795768 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code