[Freeipa-devel] [bind-dyndb-ldap PR#6][comment] handle termination of syncrepl watcher thread
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/6 Title: #6: handle termination of syncrepl watcher thread tbordaz commented: """ The patch looks good to me. ACK """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/6#issuecomment-268201031 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#324][synchronized] Check for conflict entries before raising domain level
URL: https://github.com/freeipa/freeipa/pull/324
Author: tbordaz
Title: #324: Check for conflict entries before raising domain level
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/324/head:pr324
git checkout pr324
From 94d592d557795cdf05f3fd3679ea7fcc9ed7f153 Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz <lkris...@redhat.com>
Date: Fri, 9 Dec 2016 15:04:21 +0100
Subject: [PATCH] Check for conflict entries before raising domain level
Checking of conflicts is not only done in topology container as
tests showed it can occurs elsewhere
https://fedorahosted.org/freeipa/ticket/6534
---
ipaserver/plugins/domainlevel.py | 28
1 file changed, 28 insertions(+)
diff --git a/ipaserver/plugins/domainlevel.py b/ipaserver/plugins/domainlevel.py
index 42603d7..e1f0251 100644
--- a/ipaserver/plugins/domainlevel.py
+++ b/ipaserver/plugins/domainlevel.py
@@ -48,6 +48,30 @@ def get_domainlevel_range(master_entry):
return DomainLevelRange(0, 0)
+def check_conflict_entries(ldap, api, desired_value):
+"""
+Check if conflict entries exist in topology subtree
+"""
+
+container_dn = DN(
+('cn', 'ipa'),
+('cn', 'etc'),
+api.env.basedn
+)
+conflict="(nsds5replconflict=*)"
+subentry="(|(objectclass=ldapsubentry)(objectclass=*))"
+try:
+ldap.get_entries(
+filter="(& %s %s)" % (conflict, subentry),
+base_dn=container_dn,
+scope=ldap.SCOPE_SUBTREE)
+message = _("Domain Level cannot be raised to {0}, "
+"existing replication conflicts have to be resolved."
+.format(desired_value))
+raise errors.InvalidDomainLevelError(reason=message)
+except errors.NotFound:
+pass
+
def get_master_entries(ldap, api):
"""
Returns list of LDAPEntries representing IPA masters.
@@ -131,6 +155,10 @@ def execute(self, *args, **options):
.format(desired_value, master['cn'][0]))
raise errors.InvalidDomainLevelError(reason=message)
+# Check if conflict entries exist in topology subtree
+# should be resolved first
+check_conflict_entries(ldap, self.api, desired_value)
+
current_entry.single_value['ipaDomainLevel'] = desired_value
ldap.update_entry(current_entry)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#324][synchronized] Check for conflict entries before raising domain level
URL: https://github.com/freeipa/freeipa/pull/324
Author: tbordaz
Title: #324: Check for conflict entries before raising domain level
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/324/head:pr324
git checkout pr324
From 5e544ae0477cda154996b158960006878d1a09dc Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz <lkris...@redhat.com>
Date: Fri, 9 Dec 2016 15:04:21 +0100
Subject: [PATCH] Check for conflict entries before raising domain level
Checking of conflicts is not only done in topology container as
tests showed it can occurs elsewhere
https://fedorahosted.org/freeipa/ticket/6534
---
ipaserver/plugins/domainlevel.py | 26 ++
1 file changed, 26 insertions(+)
diff --git a/ipaserver/plugins/domainlevel.py b/ipaserver/plugins/domainlevel.py
index 42603d7..749dce3 100644
--- a/ipaserver/plugins/domainlevel.py
+++ b/ipaserver/plugins/domainlevel.py
@@ -48,6 +48,29 @@ def get_domainlevel_range(master_entry):
return DomainLevelRange(0, 0)
+def check_conflict_entries(ldap, api, desired_value):
+"""
+Check if conflict entries exist in topology subtree
+"""
+
+container_dn = DN(
+('cn', 'ipa'),
+('cn', 'etc'),
+api.env.basedn
+)
+
+try:
+ldap.get_entries(
+filter="(&(nsds5replconflict=*)(|(objectclass=ldapsubentry)(objectclass=*)))",
+base_dn=container_dn,
+scope=ldap.SCOPE_SUBTREE)
+message = _("Domain Level cannot be raised to {0}, "
+"existing replication conflicts have to be resolved."
+.format(desired_value))
+raise errors.InvalidDomainLevelError(reason=message)
+except errors.NotFound:
+pass
+
def get_master_entries(ldap, api):
"""
Returns list of LDAPEntries representing IPA masters.
@@ -131,6 +154,9 @@ def execute(self, *args, **options):
.format(desired_value, master['cn'][0]))
raise errors.InvalidDomainLevelError(reason=message)
+# Check if conflict entries exist in topology subtree, should be resolved first
+check_conflict_entries(ldap, self.api, desired_value)
+
current_entry.single_value['ipaDomainLevel'] = desired_value
ldap.update_entry(current_entry)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#322][comment] masters DS<1.3.3 do not support bind group
URL: https://github.com/freeipa/freeipa/pull/322 Title: #322: masters DS<1.3.3 do not support bind group tbordaz commented: """ Oppss I missed that thanks for the heads up. PR #319 and #315 are better fixes for this issue. #322 should be discard """ See the full comment at https://github.com/freeipa/freeipa/pull/322#issuecomment-265984866 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#322][opened] masters DS<1.3.3 do not support bind group
URL: https://github.com/freeipa/freeipa/pull/322
Author: tbordaz
Title: #322: masters DS<1.3.3 do not support bind group
Action: opened
PR body:
"""
Check the instance version before setting nsds5replicabbinddngroup and
nsds5replicabinddngroupcheckinterval
https://fedorahosted.org/freeipa/ticket/6532
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/322/head:pr322
git checkout pr322
From f7f759a86cf33a1fe5a04f5bc209a934cacc7cea Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbor...@redhat.com>
Date: Thu, 8 Dec 2016 18:21:03 +0100
Subject: [PATCH] masters DS<1.3.3 do not support bind group
Check the instance version before setting nsds5replicabbinddngroup and
nsds5replicabinddngroupcheckinterval
https://fedorahosted.org/freeipa/ticket/6532
---
ipaserver/install/replication.py | 44
1 file changed, 36 insertions(+), 8 deletions(-)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index ddae08e..2221b5e 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -24,6 +24,7 @@
import datetime
import sys
import os
+import re
from random import randint
import ldap
@@ -441,6 +442,32 @@ def replica_config(self, conn, replica_id, replica_binddn):
dn = self.replica_dn()
assert isinstance(dn, DN)
+support_binddngroup = False
+try:
+# check that the replica version is > 1.3.3 to support bind group
+entry = conn.get_entry(DN(""), attrs_list=['vendorVersion'])
+vendor_version = entry.get('vendorVersion')[0]
+if vendor_version:
+replica_version = re.search('389-Directory/(.+?) .*', vendor_version)
+root_logger.info("Replica version: %s" % replica_version.group(1))
+version_num = [int(s) for s in replica_version.group(1).split('.') if s.isdigit()]
+if version_num[0] > 1:
+support_binddngroup = True
+elif version_num[0] == 1:
+# version 1.x
+if version_num[1] > 3:
+support_binddngroup = True
+elif version_num[1] == 3:
+# version 1.3.x
+if version_num[2] >= 3:
+support_binddngroup = True
+except Exception as e:
+root_logger.info("Unable to check replica version: %s" % str(e))
+raise
+root_logger.info("Bind DN group support: %s" % support_binddngroup)
+
+
+
try:
entry = conn.get_entry(dn)
managers = {DN(m) for m in entry.get('nsDS5ReplicaBindDN', [])}
@@ -453,15 +480,16 @@ def replica_config(self, conn, replica_id, replica_binddn):
mod.append((ldap.MOD_ADD, 'nsDS5ReplicaBindDN',
replica_binddn))
-if self.repl_man_group_dn not in binddn_groups:
-mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup',
-self.repl_man_group_dn))
+if support_binddngroup:
+if self.repl_man_group_dn not in binddn_groups:
+mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup',
+self.repl_man_group_dn))
-if 'nsds5replicabinddngroupcheckinterval' not in entry:
-mod.append(
-(ldap.MOD_ADD,
- 'nsds5replicabinddngroupcheckinterval',
- '60'))
+if 'nsds5replicabinddngroupcheckinterval' not in entry:
+mod.append(
+(ldap.MOD_ADD,
+ 'nsds5replicabinddngroupcheckinterval',
+ '60'))
if mod:
conn.modify_s(dn, mod)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#211][opened] IPA Allows Password Reuse with History value defined when admin reset…
URL: https://github.com/freeipa/freeipa/pull/211
Author: tbordaz
Title: #211: IPA Allows Password Reuse with History value defined when admin
reset…
Action: opened
PR body:
"""
…s the password.
When admin reset a user password, history of user passwords is
preserved according to its policy.
https://fedorahosted.org/freeipa/ticket/6402
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/211/head:pr211
git checkout pr211
From 95aea810c8b19104a5b71dbd2cb55bf04031b652 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbor...@redhat.com>
Date: Wed, 19 Oct 2016 15:04:13 +0200
Subject: [PATCH] IPA Allows Password Reuse with History value defined when
admin resets the password.
When admin reset a user password, history of user passwords is
preserved according to its policy.
https://fedorahosted.org/freeipa/ticket/6402
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 22 +-
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index cab7b7c..8ee0417 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -548,15 +548,6 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
pol.min_pwd_length = IPAPWD_DEFAULT_MINLEN;
switch(data->changetype) {
-case IPA_CHANGETYPE_ADMIN:
-/* The expiration date needs to be older than the current time
- * otherwise the KDC may not immediately register the password
- * as expired. The last password change needs to match the
- * password expiration otherwise minlife issues will arise.
- */
-data->timeNow -= 1;
-data->expireTime = data->timeNow;
-break;
case IPA_CHANGETYPE_NORMAL:
/* Find the entry with the password policy */
ret = ipapwd_getPolicy(data->dn, data->target, );
@@ -564,6 +555,18 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
LOG_TRACE("No password policy, use defaults");
}
break;
+ case IPA_CHANGETYPE_ADMIN:
+/* The expiration date needs to be older than the current time
+ * otherwise the KDC may not immediately register the password
+ * as expired. The last password change needs to match the
+ * password expiration otherwise minlife issues will arise.
+ */
+data->timeNow -= 1;
+data->expireTime = data->timeNow;
+
+ /* let set the entry password property according to its
+ * entry password policy
+ */
case IPA_CHANGETYPE_DSMGR:
/* PassSync agents and Directory Manager can administratively
* change the password without expiring it.
@@ -577,6 +580,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
LOG_TRACE("No password policy, use defaults");
} else {
pol.max_pwd_life = tmppol.max_pwd_life;
+ pol.history_length = tmppol.history_length;
}
break;
default:
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
