[Freeipa-devel] [freeipa PR#1424][closed] Fixing how to parse the backup dir in test_backup_and_restore
URL: https://github.com/freeipa/freeipa/pull/1424 Author: felipevolpone Title: #1424: Fixing how to parse the backup dir in test_backup_and_restore Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1424/head:pr1424 git checkout pr1424 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: freeIPA certificate with Let’s Encrypt
On 12/21/2017 09:27 AM, paride.buetti--- via FreeIPA-devel wrote: > Here the procedure to use Let’s Encrypt certificate with freeIPA > > Download isrgrootx1 certificate: > > # wget https://letsencrypt.org/certs/isrgrootx1.pem.txt > # mv isrgrootx1.pem.txt isrgrootx1.pem > > Download letsencryptauthorityx3 certificate: > > # wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt > # mv letsencryptauthorityx3.pem.txt letsencryptauthorityx3.pem > > Install CA to freeIPA > > # ipa-cacert-manage install isrgrootx1.pem -n ISRGRootX1 -t ,, > # ipa-cacert-manage install letsencryptauthorityx3.pem -n letsencryptx3 -t C,, > > I added DSTRootCAX3 certificate, but I'm not sure if it's necessary > > # crete a file DSTRootCAX3.pem with the content of > https://www.identrust.com/certificates/trustid/root-download-x3.html > # ipa-cacert-manage install DSTRootCAX3.pem -n DSTRootCAX3 -t ,, > > Update certificates > > # kinit admin > # ipa-certupdate > > Install Let’s Encrypt certificate (I used a DNS-01 challenge: > http://letsencrypt.readthedocs.io/en/latest/challenges.html) > > # ipa-server-certinstall -w -d /etc/letsencrypt/live/your.doma.in/privkey.pem > /etc/letsencrypt/live/your.doma.in/fullchain.pem --pin= > > Restart the system > > # systemctl restart httpd.service > # systemctl restart dirsrv@BLACKPOINTS-CH.service > > or > > # ipactl restart > > That's all Thanks for contributing! FreeIPA actually has some shared scripts already hosted in the team's GitHub repo: https://github.com/freeipa/freeipa-letsencrypt that look quite similar to what you came up with. Maybe you want to either use or contribute to these shared scripts? Martin ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1425][opened] Documenting kinit_lifetime in /etc/ipa/default.conf
URL: https://github.com/freeipa/freeipa/pull/1425 Author: amitkumar50 Title: #1425: Documenting kinit_lifetime in /etc/ipa/default.conf Action: opened PR body: """ Describing the parameter kinit_lifetime that allows to limit the lifetime of ticket obtained by users authenticating to the WebGUI using login/password. Resolves: https://pagure.io/freeipa/issue/7333 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1425/head:pr1425 git checkout pr1425 From c31bd25d02f0d5094089b012f2d9ec76b46f9258 Mon Sep 17 00:00:00 2001 From: amitkumaDate: Tue, 2 Jan 2018 21:05:27 +0530 Subject: [PATCH] Documenting kinit_lifetime in /etc/ipa/default.conf Describing the parameter kinit_lifetime that allows to limit the lifetime of ticket obtained by users authenticating to the WebGUI using login/password. Resolves: https://pagure.io/freeipa/issue/7333 --- client/man/default.conf.5 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/client/man/default.conf.5 b/client/man/default.conf.5 index 35ce6bb9f8..b3751b5043 100644 --- a/client/man/default.conf.5 +++ b/client/man/default.conf.5 @@ -107,6 +107,9 @@ This is used in development and is generally a detected value. It means that the .B interactive Specifies whether values should be prompted for or not. The default is True. .TP +.B kinit_lifetime +Controls the lifetime of ticket obtained by users authenticating to the WebGUI using login/password. +.TP .B ldap_uri Specifies the URI of the IPA LDAP server to connect to. The URI scheme may be one of \fBldap\fR or \fBldapi\fR. The default is to use ldapi, e.g. ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-COM.socket .TP ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: freeIPA certificate with Let’s Encrypt
Hey Martin and Paride, There are also some scripts which use DNS auth and allow multiple DNS names/aliases/principals: https://github.com/antevens/letsencrypt-freeipa In addition to that I recently started work on a Certmonger helper which would allow one to use Let's Encrypt certs for the entire infrastructure automatically: https://github.com/antevens/cerlet -- Antonia Stevens a...@antevens.com +1 416 888 6908 <+1%20+(416)%20888-6908> On Tue, Jan 2, 2018 at 4:54 AM, Martin Kosek via FreeIPA-devel < freeipa-devel@lists.fedorahosted.org> wrote: > On 12/21/2017 09:27 AM, paride.buetti--- via FreeIPA-devel wrote: > > Here the procedure to use Let’s Encrypt certificate with freeIPA > > > > Download isrgrootx1 certificate: > > > > # wget https://letsencrypt.org/certs/isrgrootx1.pem.txt > > # mv isrgrootx1.pem.txt isrgrootx1.pem > > > > Download letsencryptauthorityx3 certificate: > > > > # wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt > > # mv letsencryptauthorityx3.pem.txt letsencryptauthorityx3.pem > > > > Install CA to freeIPA > > > > # ipa-cacert-manage install isrgrootx1.pem -n ISRGRootX1 -t ,, > > # ipa-cacert-manage install letsencryptauthorityx3.pem -n letsencryptx3 > -t C,, > > > > I added DSTRootCAX3 certificate, but I'm not sure if it's necessary > > > > # crete a file DSTRootCAX3.pem with the content of > https://www.identrust.com/certificates/trustid/root-download-x3.html > > # ipa-cacert-manage install DSTRootCAX3.pem -n DSTRootCAX3 -t ,, > > > > Update certificates > > > > # kinit admin > > # ipa-certupdate > > > > Install Let’s Encrypt certificate (I used a DNS-01 challenge: > http://letsencrypt.readthedocs.io/en/latest/challenges.html) > > > > # ipa-server-certinstall -w -d /etc/letsencrypt/live/your. > doma.in/privkey.pem /etc/letsencrypt/live/your.doma.in/fullchain.pem > --pin= > > > > Restart the system > > > > # systemctl restart httpd.service > > # systemctl restart dirsrv@BLACKPOINTS-CH.service > > > > or > > > > # ipactl restart > > > > That's all > > Thanks for contributing! FreeIPA actually has some shared scripts > already hosted in the team's GitHub repo: > > https://github.com/freeipa/freeipa-letsencrypt > > that look quite similar to what you came up with. Maybe you want to > either use or contribute to these shared scripts? > > Martin > ___ > FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org > To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org > ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1426][opened] ACI: grant access to admins group instead of admin user
URL: https://github.com/freeipa/freeipa/pull/1426 Author: flo-renaud Title: #1426: ACI: grant access to admins group instead of admin user Action: opened PR body: """ The ACI needed for staged users and deleted users were granted only to the uid=admin user. They should rather be granted to cn=admins group, to make sure that all members of the admins group are able to call the command ipa user-del --preserve. https://pagure.io/freeipa/issue/7342 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1426/head:pr1426 git checkout pr1426 From e504db3090c46b737decede0d91da8b19eaff993 Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Tue, 2 Jan 2018 16:28:24 +0100 Subject: [PATCH] ACI: grant access to admins group instead of admin user The ACI needed for staged users and deleted users were granted only to the uid=admin user. They should rather be granted to cn=admins group, to make sure that all members of the admins group are able to call the command ipa user-del --preserve. https://pagure.io/freeipa/issue/7342 --- install/updates/30-provisioning.update | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/install/updates/30-provisioning.update b/install/updates/30-provisioning.update index b8ec80e00f..46c589e518 100644 --- a/install/updates/30-provisioning.update +++ b/install/updates/30-provisioning.update @@ -23,12 +23,14 @@ default: cn: deleted users # This is used for the admin to know if credential are set for stage users # We can do a query on a DN to see if an attribute exists or retrieve the value dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX -add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX;;) +remove:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX;;) +add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;) # This is used for the admin to reset the delete users credential # No one is allowed to add entry in Delete container dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX -add:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX;;) +remove:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX;;) +add:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;) add:aci: (targetattr = "*")(version 3.0; acl "No one can add entry in Delete container"; deny (add) userdn = "ldap:///all;;) dn: cn=provisioning accounts lock,cn=accounts,cn=provisioning,$SUFFIX ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1427][opened] Skip zone overlap check with auto-reverse
URL: https://github.com/freeipa/freeipa/pull/1427 Author: justin-stephenson Title: #1427: Skip zone overlap check with auto-reverse Action: opened PR body: """ Skip the existing reverse zone overlap check during DNS installation when both `--auto-reverse` and `--allow-zone-overlap` arguments are provided together. https://pagure.io/freeipa/issue/7239 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1427/head:pr1427 git checkout pr1427 From 84cb77ac499fb95ee1ca8a6657d352bb4453abbe Mon Sep 17 00:00:00 2001 From: Justin StephensonDate: Wed, 27 Dec 2017 16:32:47 -0500 Subject: [PATCH] Skip zone overlap check with auto-reverse Skip the existing reverse zone overlap check during DNS installation when both --auto-reverse and --allow-zone-overlap arguments are provided. https://pagure.io/freeipa/issue/7239 --- ipaserver/install/bindinstance.py | 18 ++ 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index a50fd9ff05..f87c909cdc 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -302,7 +302,7 @@ def read_reverse_zone(default, ip_address, allow_zone_overlap=False): return normalize_zone(zone) -def get_auto_reverse_zones(ip_addresses): +def get_auto_reverse_zones(ip_addresses, allow_zone_overlap=False): auto_zones = [] for ip in ip_addresses: if ipautil.reverse_record_exists(ip): @@ -310,12 +310,13 @@ def get_auto_reverse_zones(ip_addresses): logger.info("Reverse record for IP address %s already exists", ip) continue default_reverse = get_reverse_zone_default(ip) -try: -dnsutil.check_zone_overlap(default_reverse) -except ValueError: -logger.info("Reverse zone %s for IP address %s already exists", -default_reverse, ip) -continue +if not allow_zone_overlap: +try: +dnsutil.check_zone_overlap(default_reverse) +except ValueError: +logger.info("Reverse zone %s for IP address %s already exists", +default_reverse, ip) +continue auto_zones.append((ip, default_reverse)) return auto_zones @@ -486,7 +487,8 @@ def check_reverse_zones(ip_addresses, reverse_zones, options, unattended, ips_missing_reverse.append(ip) # create reverse zone for IP addresses that does not have one -for (ip, rz) in get_auto_reverse_zones(ips_missing_reverse): +for (ip, rz) in get_auto_reverse_zones(ips_missing_reverse, + options.allow_zone_overlap): if options.auto_reverse: logger.info("Reverse zone %s will be created", rz) checked_reverse_zones.append(rz) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1428][opened] Check if replication exist before enable it
URL: https://github.com/freeipa/freeipa/pull/1428 Author: felipevolpone Title: #1428: Check if replication exist before enable it Action: opened PR body: """ If the replication does not exist a custom exception is raised explaining the problem. Fixes: #7201 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1428/head:pr1428 git checkout pr1428 From 012592b67a55534bbd155f1a8436ad6d2aa7b404 Mon Sep 17 00:00:00 2001 From: Felipe BarretoDate: Tue, 2 Jan 2018 21:40:49 -0200 Subject: [PATCH] Check if replication exists before enable it If the replication does not exists a custom exception is raised explaining the problem. Fixes: #7201 --- ipaserver/install/replication.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 8aae90c0a9..6d13c3bf06 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -1561,6 +1561,9 @@ def enable_agreement(self, hostname): Note: for replication to work it needs to be enabled both ways. """ entry = self.get_replication_agreement(hostname) +if not entry: +raise errors.NotFound( +reason="Replication agreement for %s not found" % hostname) entry['nsds5ReplicaEnabled'] = 'on' try: ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org