Re: [Freeipa-devel] [PATCHES 0018-0019] ipa-dns-install: Use LDAPI for all DS connections
On 12/03/15 17:15, Martin Babinsky wrote: On 03/12/2015 03:59 PM, Martin Babinsky wrote: On 03/11/2015 03:13 PM, Martin Basti wrote: On 11/03/15 13:00, Martin Babinsky wrote: These patches solve https://fedorahosted.org/freeipa/ticket/4933. They are to be applied to master branch. I will rebase them for ipa-4-1 after the review. Thank you for the patches. I have a few comments: IPA-4-1 Replace simple bind with LDAPI is too big change for 4-1, we should start TLS if possible to avoid MINSSF0 error. The LDAPI patches should go only into IPA master branch. You can do something like this: --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -107,6 +107,10 @@ class Service(object): if not self.realm: raise errors.NotFound(reason=realm is missing for %s % (self)) conn = ipaldap.IPAdmin(ldapi=self.ldapi, realm=self.realm) +elif self.dm_password is not None: +conn = ipaldap.IPAdmin(self.fqdn, port=389, + cacert=paths.IPA_CA_CRT, + start_tls=True) else: conn = ipaldap.IPAdmin(self.fqdn, port=389) PATCH 0018: 1) please add there more chatty commit message about using LDAPI 2) I do not like much idea of adding 'realm' kwarg into __init__ method of OpenDNSSECInstance IIUC, it is because get_masters() method, which requires realm to use LDAPI. You can just add ods.realm=realm, before call get_master() in ipa-dns-install if options.dnssec_master: +ods.realm=api.env.realm dnssec_masters = ods.get_masters() (Honza will change it anyway during refactoring) PATCH 0019: 1) commit message deserves to be more chatty, can you explain there why you removed kerberos cache? Martin^2 Attaching updated patches. Patch 0018 should go to both 4.1 and master branches. Patch 0019 should go only to master. One more update. Patch 0018 is for both 4.1 and master. Patch 0019 is for master only. Thank for patches Patch 0018: 1) Works for me but needs rebase on master Patch 0019: 1) Please rename the patch/commit message, the patch changes only ipa-dns-install connections not all DS operations 2) I have some troubles with applying patch, it needs rebase due 0018 -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0018-0019] ipa-dns-install: Use LDAPI for all DS connections
On 03/12/2015 03:59 PM, Martin Babinsky wrote: On 03/11/2015 03:13 PM, Martin Basti wrote: On 11/03/15 13:00, Martin Babinsky wrote: These patches solve https://fedorahosted.org/freeipa/ticket/4933. They are to be applied to master branch. I will rebase them for ipa-4-1 after the review. Thank you for the patches. I have a few comments: IPA-4-1 Replace simple bind with LDAPI is too big change for 4-1, we should start TLS if possible to avoid MINSSF0 error. The LDAPI patches should go only into IPA master branch. You can do something like this: --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -107,6 +107,10 @@ class Service(object): if not self.realm: raise errors.NotFound(reason=realm is missing for %s % (self)) conn = ipaldap.IPAdmin(ldapi=self.ldapi, realm=self.realm) +elif self.dm_password is not None: +conn = ipaldap.IPAdmin(self.fqdn, port=389, + cacert=paths.IPA_CA_CRT, + start_tls=True) else: conn = ipaldap.IPAdmin(self.fqdn, port=389) PATCH 0018: 1) please add there more chatty commit message about using LDAPI 2) I do not like much idea of adding 'realm' kwarg into __init__ method of OpenDNSSECInstance IIUC, it is because get_masters() method, which requires realm to use LDAPI. You can just add ods.realm=realm, before call get_master() in ipa-dns-install if options.dnssec_master: +ods.realm=api.env.realm dnssec_masters = ods.get_masters() (Honza will change it anyway during refactoring) PATCH 0019: 1) commit message deserves to be more chatty, can you explain there why you removed kerberos cache? Martin^2 Attaching updated patches. Patch 0018 should go to both 4.1 and master branches. Patch 0019 should go only to master. One more update. Patch 0018 is for both 4.1 and master. Patch 0019 is for master only. -- Martin^3 Babinsky From b8fa778811cdde75da7faa5a2bc37a20655db372 Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Thu, 12 Mar 2015 16:14:22 +0100 Subject: [PATCH] ipa-dns-install: use STARTTLS to connect to DS BindInstance et al. now use STARTTLS to set up secure connection to DS during ipa-dns-install. This fixes https://fedorahosted.org/freeipa/ticket/4933 --- install/tools/ipa-dns-install| 12 ipaserver/install/bindinstance.py| 10 ++ ipaserver/install/dnskeysyncinstance.py | 7 --- ipaserver/install/odsexporterinstance.py | 5 +++-- ipaserver/install/opendnssecinstance.py | 5 +++-- ipaserver/install/service.py | 10 -- 6 files changed, 32 insertions(+), 17 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 11f79f0f9be226aaee8c95deb31e7e21f8a18dbb..2b6ad02abee9428870b0a554f5b4088e77b0e852 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -151,7 +151,7 @@ def main(): confirm=False, validate=False) if dm_password is None: sys.exit(Directory Manager password required) -bind = bindinstance.BindInstance(fstore, dm_password) +bind = bindinstance.BindInstance(fstore, dm_password, start_tls=True) # try the connection try: @@ -160,7 +160,8 @@ def main(): except errors.ACIError: sys.exit(Password is not valid!) -ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password) +ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password, +start_tls=True) if options.dnssec_master: dnssec_masters = ods.get_masters() # we can reinstall current server if it is dnssec master @@ -214,10 +215,13 @@ def main(): bind.create_instance() # on dnssec master this must be installed last -dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password) +dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password, +start_tls=True) dnskeysyncd.create_instance(api.env.host, api.env.realm) if options.dnssec_master: -ods_exporter = odsexporterinstance.ODSExporterInstance(fstore, dm_password) +ods_exporter = odsexporterinstance.ODSExporterInstance(fstore, + dm_password, + start_tls=True) ods_exporter.create_instance(api.env.host, api.env.realm) ods.create_instance(api.env.host, api.env.realm) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 4e630e8ddfed524d021d19016f48615fc8c0ab9d..a6839f5882d8994b99deee459ecb0160bb47cfef 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@
Re: [Freeipa-devel] [PATCHES 0018-0019] ipa-dns-install: Use LDAPI for all DS connections
On 03/11/2015 03:13 PM, Martin Basti wrote: On 11/03/15 13:00, Martin Babinsky wrote: These patches solve https://fedorahosted.org/freeipa/ticket/4933. They are to be applied to master branch. I will rebase them for ipa-4-1 after the review. Thank you for the patches. I have a few comments: IPA-4-1 Replace simple bind with LDAPI is too big change for 4-1, we should start TLS if possible to avoid MINSSF0 error. The LDAPI patches should go only into IPA master branch. You can do something like this: --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -107,6 +107,10 @@ class Service(object): if not self.realm: raise errors.NotFound(reason=realm is missing for %s % (self)) conn = ipaldap.IPAdmin(ldapi=self.ldapi, realm=self.realm) +elif self.dm_password is not None: +conn = ipaldap.IPAdmin(self.fqdn, port=389, + cacert=paths.IPA_CA_CRT, + start_tls=True) else: conn = ipaldap.IPAdmin(self.fqdn, port=389) PATCH 0018: 1) please add there more chatty commit message about using LDAPI 2) I do not like much idea of adding 'realm' kwarg into __init__ method of OpenDNSSECInstance IIUC, it is because get_masters() method, which requires realm to use LDAPI. You can just add ods.realm=realm, before call get_master() in ipa-dns-install if options.dnssec_master: +ods.realm=api.env.realm dnssec_masters = ods.get_masters() (Honza will change it anyway during refactoring) PATCH 0019: 1) commit message deserves to be more chatty, can you explain there why you removed kerberos cache? Martin^2 Attaching updated patches. Patch 0018 should go to both 4.1 and master branches. Patch 0019 should go only to master. -- Martin^3 Babinsky From aea965b42ad52b7504dd06b8e62861e1a7be4da1 Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Wed, 11 Mar 2015 15:37:08 +0100 Subject: [PATCH] ipa-dns-install: use STARTTLS to connect to DS BindInstance et al. now use STARTTLS to set up secure connection to DS during ipa-dns-install. This fixes https://fedorahosted.org/freeipa/ticket/4933 --- install/tools/ipa-dns-install| 12 ipaserver/install/bindinstance.py| 12 ++-- ipaserver/install/dnskeysyncinstance.py | 14 +++--- ipaserver/install/odsexporterinstance.py | 15 +++ ipaserver/install/opendnssecinstance.py | 15 +++ ipaserver/install/service.py | 10 -- 6 files changed, 43 insertions(+), 35 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 11f79f0f9be226aaee8c95deb31e7e21f8a18dbb..2b6ad02abee9428870b0a554f5b4088e77b0e852 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -151,7 +151,7 @@ def main(): confirm=False, validate=False) if dm_password is None: sys.exit(Directory Manager password required) -bind = bindinstance.BindInstance(fstore, dm_password) +bind = bindinstance.BindInstance(fstore, dm_password, start_tls=True) # try the connection try: @@ -160,7 +160,8 @@ def main(): except errors.ACIError: sys.exit(Password is not valid!) -ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password) +ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password, +start_tls=True) if options.dnssec_master: dnssec_masters = ods.get_masters() # we can reinstall current server if it is dnssec master @@ -214,10 +215,13 @@ def main(): bind.create_instance() # on dnssec master this must be installed last -dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password) +dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password, +start_tls=True) dnskeysyncd.create_instance(api.env.host, api.env.realm) if options.dnssec_master: -ods_exporter = odsexporterinstance.ODSExporterInstance(fstore, dm_password) +ods_exporter = odsexporterinstance.ODSExporterInstance(fstore, + dm_password, + start_tls=True) ods_exporter.create_instance(api.env.host, api.env.realm) ods.create_instance(api.env.host, api.env.realm) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 4e630e8ddfed524d021d19016f48615fc8c0ab9d..ca73b43f6da2f0cf3ad8423b24b2ce19062d0df2 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -533,13 +533,13 @@ class DnsBackup(object): class BindInstance(service.Service): -def __init__(self,
Re: [Freeipa-devel] [PATCHES 0018-0019] ipa-dns-install: Use LDAPI for all DS connections
On 03/11/2015 01:00 PM, Martin Babinsky wrote: These patches solve https://fedorahosted.org/freeipa/ticket/4933. They are to be applied to master branch. I will rebase them for ipa-4-1 after the review. It looks like you will also fix ipa-dns-install part of https://fedorahosted.org/freeipa/ticket/2957. So this ticket should be also referred I think (I think we should not close it until other referred tools are also fixed). Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0018-0019] ipa-dns-install: Use LDAPI for all DS connections
On 03/11/2015 04:59 PM, Martin Kosek wrote: On 03/11/2015 01:00 PM, Martin Babinsky wrote: These patches solve https://fedorahosted.org/freeipa/ticket/4933. They are to be applied to master branch. I will rebase them for ipa-4-1 after the review. It looks like you will also fix ipa-dns-install part of https://fedorahosted.org/freeipa/ticket/2957. So this ticket should be also referred I think (I think we should not close it until other referred tools are also fixed). Martin Yes that is our evil plan: For 4.1 we will issue only a (relatively) simple fix regarding https://fedorahosted.org/freeipa/ticket/4933 which preserves the -p option. For master we will make ipa-dns-install use LDAPI w/ autobind and make -p option deprecated. The other tools will hopefully meet the same fate once the install/upgrade refactoring is made. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCHES 0018-0019] ipa-dns-install: Use LDAPI for all DS connections
These patches solve https://fedorahosted.org/freeipa/ticket/4933.
They are to be applied to master branch. I will rebase them for ipa-4-1
after the review.
--
Martin^3 Babinsky
From 3072b2f79fb9b8024fb54a6ef966afceb9a0e82b Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Wed, 11 Mar 2015 12:39:58 +0100
Subject: [PATCH 1/2] make BindInstance and friends autobind-ready
https://fedorahosted.org/freeipa/ticket/4933
---
ipaserver/install/bindinstance.py| 14 +++---
ipaserver/install/odsexporterinstance.py | 7 ---
ipaserver/install/opendnssecinstance.py | 8 +---
3 files changed, 16 insertions(+), 13 deletions(-)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 52aea74cdf1263a30c3d25bc2cce79e6f7fe597f..ea0b5345295ff756acad129202b267a079cc60ac 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -533,13 +533,13 @@ class DnsBackup(object):
class BindInstance(service.Service):
-def __init__(self, fstore=None, dm_password=None, api=api):
+def __init__(self, fstore=None, dm_password=None, api=api, ldapi=False,
+ autobind=ipaldap.AUTOBIND_DISABLED):
service.Service.__init__(self, named,
-service_desc=DNS,
-dm_password=dm_password,
-ldapi=False,
-autobind=ipaldap.AUTOBIND_DISABLED
-)
+ service_desc=DNS,
+ dm_password=dm_password,
+ ldapi=ldapi,
+ autobind=autobind)
self.dns_backup = DnsBackup(self)
self.named_user = None
self.domain = None
@@ -583,7 +583,7 @@ class BindInstance(service.Service):
self.first_instance = not dns_container_exists(
self.fqdn, self.suffix, realm=self.realm, ldapi=True,
-dm_password=self.dm_password)
+dm_password=self.dm_password, autobind=self.autobind)
self.__setup_sub_dict()
diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py
index e01550446dbefd276092ae8fa60c6b03f799610b..884f66268dbcffd8deda4c9ef630486114cc7317 100644
--- a/ipaserver/install/odsexporterinstance.py
+++ b/ipaserver/install/odsexporterinstance.py
@@ -19,13 +19,14 @@ from ipalib import errors
class ODSExporterInstance(service.Service):
-def __init__(self, fstore=None, dm_password=None):
+def __init__(self, fstore=None, dm_password=None, ldapi=False,
+ autobind=ipaldap.AUTOBIND_DISABLED):
service.Service.__init__(
self, ipa-ods-exporter,
service_desc=IPA OpenDNSSEC exporter daemon,
dm_password=dm_password,
-ldapi=False,
-autobind=ipaldap.AUTOBIND_DISABLED
+ldapi=ldapi,
+autobind=autobind
)
self.dm_password = dm_password
self.ods_uid = None
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 869cf8ffec3196a3694442c75ce353211627cb18..0adc4cc5c8f853d938d88c28bb25ee841617970e 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -61,13 +61,14 @@ def check_inst():
class OpenDNSSECInstance(service.Service):
-def __init__(self, fstore=None, dm_password=None):
+def __init__(self, fstore=None, dm_password=None, ldapi=False, realm=None,
+ autobind=ipaldap.AUTOBIND_DISABLED):
service.Service.__init__(
self, ods-enforcerd,
service_desc=OpenDNSSEC enforcer daemon,
dm_password=dm_password,
-ldapi=False,
-autobind=ipaldap.AUTOBIND_DISABLED
+ldapi=ldapi,
+autobind=autobind
)
self.dm_password = dm_password
self.ods_uid = None
@@ -79,6 +80,7 @@ class OpenDNSSECInstance(service.Service):
}
self.kasp_file_dict = {}
self.extra_config = [KEYMASTER]
+self.realm = realm
if fstore:
self.fstore = fstore
--
2.1.0
From a7a74fec079149c901c1747a1881a2d225246788 Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Wed, 11 Mar 2015 12:41:07 +0100
Subject: [PATCH 2/2] ipa-dns-install: use LDAPI for all DS operations
https://fedorahosted.org/freeipa/ticket/4933
---
install/tools/ipa-dns-install | 47 ++---
install/tools/man/ipa-dns-install.1 | 7 +++---
2 files changed, 22 insertions(+), 32 deletions(-)
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index 967057e1afae11873d2cd116d4385b0d79da8e14..e95aac732158731c3cc37e95e8f73adb0d98d56b 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -21,14 +21,13 @@
from optparse import OptionGroup, SUPPRESS_HELP
-import krbV
-
from ipaserver.install
