[Freeipa-devel] [freeipa PR#1424][closed] Fixing how to parse the backup dir in test_backup_and_restore

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1424
Author: felipevolpone
 Title: #1424: Fixing how to parse the backup dir in test_backup_and_restore
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1424/head:pr1424
git checkout pr1424
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] Re: freeIPA certificate with Let’s Encrypt

[Martin Kosek via FreeIPA-devel]

On 12/21/2017 09:27 AM, paride.buetti--- via FreeIPA-devel wrote:
> Here the procedure to use Let’s Encrypt certificate with freeIPA
> 
> Download isrgrootx1 certificate:
> 
> # wget https://letsencrypt.org/certs/isrgrootx1.pem.txt
> # mv isrgrootx1.pem.txt isrgrootx1.pem
> 
> Download letsencryptauthorityx3 certificate:
> 
> # wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
> # mv letsencryptauthorityx3.pem.txt letsencryptauthorityx3.pem
> 
> Install CA to freeIPA
> 
> # ipa-cacert-manage install isrgrootx1.pem -n ISRGRootX1 -t ,,
> # ipa-cacert-manage install letsencryptauthorityx3.pem -n letsencryptx3 -t C,,
> 
> I added DSTRootCAX3 certificate, but I'm not sure if it's necessary
> 
> # crete a file DSTRootCAX3.pem with the content of 
> https://www.identrust.com/certificates/trustid/root-download-x3.html
> # ipa-cacert-manage install DSTRootCAX3.pem -n DSTRootCAX3 -t ,,
> 
> Update certificates
> 
> # kinit admin
> # ipa-certupdate
> 
> Install Let’s Encrypt certificate (I used a DNS-01 challenge: 
> http://letsencrypt.readthedocs.io/en/latest/challenges.html)
> 
> # ipa-server-certinstall -w -d /etc/letsencrypt/live/your.doma.in/privkey.pem 
> /etc/letsencrypt/live/your.doma.in/fullchain.pem --pin=
> 
> Restart the system
> 
> # systemctl restart httpd.service
> # systemctl restart dirsrv@BLACKPOINTS-CH.service
> 
> or 
> 
> # ipactl restart
> 
> That's all

Thanks for contributing! FreeIPA actually has some shared scripts
already hosted in the team's GitHub repo:

https://github.com/freeipa/freeipa-letsencrypt

that look quite similar to what you came up with. Maybe you want to
either use or contribute to these shared scripts?

Martin
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1425][opened] Documenting kinit_lifetime in /etc/ipa/default.conf

[amitkumar50 via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1425
Author: amitkumar50
 Title: #1425: Documenting kinit_lifetime in /etc/ipa/default.conf
Action: opened

PR body:
"""
Describing the parameter kinit_lifetime that allows to limit the lifetime of 
ticket obtained by users authenticating to the WebGUI using login/password.

Resolves: https://pagure.io/freeipa/issue/7333
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1425/head:pr1425
git checkout pr1425
From c31bd25d02f0d5094089b012f2d9ec76b46f9258 Mon Sep 17 00:00:00 2001
From: amitkuma 
Date: Tue, 2 Jan 2018 21:05:27 +0530
Subject: [PATCH] Documenting kinit_lifetime in /etc/ipa/default.conf

Describing the parameter kinit_lifetime that allows to limit the lifetime of ticket obtained by users authenticating to the WebGUI using login/password.

Resolves: https://pagure.io/freeipa/issue/7333
---
 client/man/default.conf.5 | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/client/man/default.conf.5 b/client/man/default.conf.5
index 35ce6bb9f8..b3751b5043 100644
--- a/client/man/default.conf.5
+++ b/client/man/default.conf.5
@@ -107,6 +107,9 @@ This is used in development and is generally a detected value. It means that the
 .B interactive 
 Specifies whether values should be prompted for or not. The default is True.
 .TP
+.B kinit_lifetime 
+Controls the lifetime of ticket obtained by users authenticating to the WebGUI using login/password.
+.TP
 .B ldap_uri 
 Specifies the URI of the IPA LDAP server to connect to. The URI scheme may be one of \fBldap\fR or \fBldapi\fR. The default is to use ldapi, e.g. ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-COM.socket
 .TP
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] Re: freeIPA certificate with Let’s Encrypt

[Antonia Stevens via FreeIPA-devel]

Hey Martin and Paride,

There are also some scripts which use DNS auth and allow multiple DNS
names/aliases/principals:

https://github.com/antevens/letsencrypt-freeipa

In addition to that I recently started work on a Certmonger helper which
would allow one to use Let's Encrypt certs for the entire infrastructure
automatically:

https://github.com/antevens/cerlet

-- 
Antonia Stevens
a...@antevens.com
+1 416 888 6908 <+1%20+(416)%20888-6908>

On Tue, Jan 2, 2018 at 4:54 AM, Martin Kosek via FreeIPA-devel <
freeipa-devel@lists.fedorahosted.org> wrote:

> On 12/21/2017 09:27 AM, paride.buetti--- via FreeIPA-devel wrote:
> > Here the procedure to use Let’s Encrypt certificate with freeIPA
> >
> > Download isrgrootx1 certificate:
> >
> > # wget https://letsencrypt.org/certs/isrgrootx1.pem.txt
> > # mv isrgrootx1.pem.txt isrgrootx1.pem
> >
> > Download letsencryptauthorityx3 certificate:
> >
> > # wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
> > # mv letsencryptauthorityx3.pem.txt letsencryptauthorityx3.pem
> >
> > Install CA to freeIPA
> >
> > # ipa-cacert-manage install isrgrootx1.pem -n ISRGRootX1 -t ,,
> > # ipa-cacert-manage install letsencryptauthorityx3.pem -n letsencryptx3
> -t C,,
> >
> > I added DSTRootCAX3 certificate, but I'm not sure if it's necessary
> >
> > # crete a file DSTRootCAX3.pem with the content of
> https://www.identrust.com/certificates/trustid/root-download-x3.html
> > # ipa-cacert-manage install DSTRootCAX3.pem -n DSTRootCAX3 -t ,,
> >
> > Update certificates
> >
> > # kinit admin
> > # ipa-certupdate
> >
> > Install Let’s Encrypt certificate (I used a DNS-01 challenge:
> http://letsencrypt.readthedocs.io/en/latest/challenges.html)
> >
> > # ipa-server-certinstall -w -d /etc/letsencrypt/live/your.
> doma.in/privkey.pem /etc/letsencrypt/live/your.doma.in/fullchain.pem
> --pin=
> >
> > Restart the system
> >
> > # systemctl restart httpd.service
> > # systemctl restart dirsrv@BLACKPOINTS-CH.service
> >
> > or
> >
> > # ipactl restart
> >
> > That's all
>
> Thanks for contributing! FreeIPA actually has some shared scripts
> already hosted in the team's GitHub repo:
>
> https://github.com/freeipa/freeipa-letsencrypt
>
> that look quite similar to what you came up with. Maybe you want to
> either use or contribute to these shared scripts?
>
> Martin
> ___
> FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
>
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1426][opened] ACI: grant access to admins group instead of admin user

[flo-renaud via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1426
Author: flo-renaud
 Title: #1426: ACI: grant access to admins group instead of admin user
Action: opened

PR body:
"""
The ACI needed for staged users and deleted users were granted
only to the uid=admin user. They should rather be granted to
cn=admins group, to make sure that all members of the admins
group are able to call the command ipa user-del --preserve.

https://pagure.io/freeipa/issue/7342
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1426/head:pr1426
git checkout pr1426
From e504db3090c46b737decede0d91da8b19eaff993 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 2 Jan 2018 16:28:24 +0100
Subject: [PATCH] ACI: grant access to admins group instead of admin user

The ACI needed for staged users and deleted users were granted
only to the uid=admin user. They should rather be granted to
cn=admins group, to make sure that all members of the admins
group are able to call the command ipa user-del --preserve.

https://pagure.io/freeipa/issue/7342
---
 install/updates/30-provisioning.update | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/install/updates/30-provisioning.update b/install/updates/30-provisioning.update
index b8ec80e00f..46c589e518 100644
--- a/install/updates/30-provisioning.update
+++ b/install/updates/30-provisioning.update
@@ -23,12 +23,14 @@ default: cn: deleted users
 # This is used for the admin to know if credential are set for stage users
 # We can do a query on a DN to see if an attribute exists or retrieve the value
 dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
-add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX;;)
+remove:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX;;)
+add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)
 
 # This is used for the admin to reset the delete users credential
 # No one is allowed to add entry in Delete container
 dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
-add:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX;;)
+remove:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX;;)
+add:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)
 add:aci: (targetattr = "*")(version 3.0; acl "No one can add entry in Delete container"; deny (add) userdn = "ldap:///all;;)
 
 dn: cn=provisioning accounts lock,cn=accounts,cn=provisioning,$SUFFIX
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1427][opened] Skip zone overlap check with auto-reverse

[justin-stephenson via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1427
Author: justin-stephenson
 Title: #1427: Skip zone overlap check with auto-reverse
Action: opened

PR body:
"""
Skip the existing reverse zone overlap check during DNS installation
when both `--auto-reverse` and `--allow-zone-overlap` arguments are
provided together.

https://pagure.io/freeipa/issue/7239
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1427/head:pr1427
git checkout pr1427
From 84cb77ac499fb95ee1ca8a6657d352bb4453abbe Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Wed, 27 Dec 2017 16:32:47 -0500
Subject: [PATCH] Skip zone overlap check with auto-reverse

Skip the existing reverse zone overlap check during DNS installation
when both --auto-reverse and --allow-zone-overlap arguments are
provided.

https://pagure.io/freeipa/issue/7239
---
 ipaserver/install/bindinstance.py | 18 ++
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index a50fd9ff05..f87c909cdc 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -302,7 +302,7 @@ def read_reverse_zone(default, ip_address, allow_zone_overlap=False):
 return normalize_zone(zone)
 
 
-def get_auto_reverse_zones(ip_addresses):
+def get_auto_reverse_zones(ip_addresses, allow_zone_overlap=False):
 auto_zones = []
 for ip in ip_addresses:
 if ipautil.reverse_record_exists(ip):
@@ -310,12 +310,13 @@ def get_auto_reverse_zones(ip_addresses):
 logger.info("Reverse record for IP address %s already exists", ip)
 continue
 default_reverse = get_reverse_zone_default(ip)
-try:
-dnsutil.check_zone_overlap(default_reverse)
-except ValueError:
-logger.info("Reverse zone %s for IP address %s already exists",
-default_reverse, ip)
-continue
+if not allow_zone_overlap:
+try:
+dnsutil.check_zone_overlap(default_reverse)
+except ValueError:
+logger.info("Reverse zone %s for IP address %s already exists",
+default_reverse, ip)
+continue
 auto_zones.append((ip, default_reverse))
 return auto_zones
 
@@ -486,7 +487,8 @@ def check_reverse_zones(ip_addresses, reverse_zones, options, unattended,
 ips_missing_reverse.append(ip)
 
 # create reverse zone for IP addresses that does not have one
-for (ip, rz) in get_auto_reverse_zones(ips_missing_reverse):
+for (ip, rz) in get_auto_reverse_zones(ips_missing_reverse,
+   options.allow_zone_overlap):
 if options.auto_reverse:
 logger.info("Reverse zone %s will be created", rz)
 checked_reverse_zones.append(rz)
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1428][opened] Check if replication exist before enable it

[felipevolpone via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1428
Author: felipevolpone
 Title: #1428: Check if replication exist before enable it
Action: opened

PR body:
"""
If the replication does not exist a custom exception is raised explaining the 
problem.

Fixes: #7201
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1428/head:pr1428
git checkout pr1428
From 012592b67a55534bbd155f1a8436ad6d2aa7b404 Mon Sep 17 00:00:00 2001
From: Felipe Barreto 
Date: Tue, 2 Jan 2018 21:40:49 -0200
Subject: [PATCH] Check if replication exists before enable it

If the replication does not exists a custom exception
is raised explaining the problem.

Fixes: #7201
---
 ipaserver/install/replication.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 8aae90c0a9..6d13c3bf06 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -1561,6 +1561,9 @@ def enable_agreement(self, hostname):
 Note: for replication to work it needs to be enabled both ways.
 """
 entry = self.get_replication_agreement(hostname)
+if not entry:
+raise errors.NotFound(
+reason="Replication agreement for %s not found" % hostname)
 entry['nsds5ReplicaEnabled'] = 'on'
 
 try:
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org