Re: [Freeipa-devel] [PATCH] #1820 Fix legacy password generation
On Thu, 2011-10-06 at 17:29 +0200, Jakub Hrozek wrote: On Mon, Sep 19, 2011 at 05:39:06PM -0400, Simo Sorce wrote: Today I found another regression in the kpasswd password change path. I filed ticket #1820 Legacy password hashes were not generated due to an issue with the list of attributes being searched in ipadb_get_principal(), objectclass was missing. This patch fixes it. It does :-) Ack! Thanks! Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
Martin Kosek wrote: On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote: The aci prefix was missing in the description of the three dns acis which made them not show up when viewing their permission entries. rob This works fine, but it is just a part of a solution. DNS related privileges miss memberof attribute for the DNS permissions and thus the permissions are not listed: # ipa permission-show add dns entries Permission name: add dns entries Permissions: add Type: dnsrecord Granted to Privilege: DNS Administrators, DNS Servers # ipa privilege-show DNS Administrators Privilege name: DNS Administrators Description: DNS Administrators Missing permissions I think the reason is that the permissions are in a wrong order in the LDIF and are created before the privilege itself. When member links are being created for DNS permissions, the memberof plugin cannot add memberof attributes for the privilege since it does not exist yet. This is the main issue that the BZ bug complains about. Martin There are two problems: 1. The acis lacked a prefix so they didn't appear as permissions 2. The permission was added before the privilege so the memberof values weren't being calculated. This fixes it for new installs and adds an update to fix up existing installs. rob From f0c46cac3afea07bbcf02af254f73c29dc122fd8 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Wed, 5 Oct 2011 17:16:05 -0400 Subject: [PATCH] Fix DNS permissions and membership in privileges This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898 --- install/share/dns.ldif | 46 +- install/updates/40-delegation.update |6 install/updates/40-dns.update| 22 install/updates/Makefile.am |1 + 4 files changed, 52 insertions(+), 23 deletions(-) create mode 100644 install/updates/40-dns.update diff --git a/install/share/dns.ldif b/install/share/dns.ldif index dc79222..1ffadb5 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -4,6 +4,29 @@ objectClass: nsContainer objectClass: top cn: dns +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = ldap:///idnsname=*,cn=dns,$SUFFIX;)(version 3.0;acl permission:add dns entries;allow (add) groupdn = ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX;) +aci: (target = ldap:///idnsname=*,cn=dns,$SUFFIX;)(version 3.0;acl permission:remove dns entries;allow (delete) groupdn = ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX;) +aci: (targetattr = idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy)(target = ldap:///idnsname=*,cn=dns,$SUFFIX;)(version 3.0;acl permission:update dns entries;allow (write) groupdn = ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX;) + +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Administrators +description: DNS Administrators + +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Servers +description: DNS Servers + dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: groupofnames @@ -30,26 +53,3 @@ cn: update dns entries description: Update DNS entries member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX - -dn: $SUFFIX -changetype: modify -add: aci -aci: (target = ldap:///idnsname=*,cn=dns,$SUFFIX;)(version 3.0;acl Add DNS entries;allow (add) groupdn = ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX;) -aci: (target = ldap:///idnsname=*,cn=dns,$SUFFIX;)(version 3.0;acl Remove DNS entries;allow (delete) groupdn = ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX;) -aci: (targetattr = idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord
Re: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
Martin Kosek wrote: On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote: The aci prefix was missing in the description of the three dns acis which made them not show up when viewing their permission entries. rob This works fine, but it is just a part of a solution. DNS related privileges miss memberof attribute for the DNS permissions and thus the permissions are not listed: # ipa permission-show add dns entries Permission name: add dns entries Permissions: add Type: dnsrecord Granted to Privilege: DNS Administrators, DNS Servers # ipa privilege-show DNS Administrators Privilege name: DNS Administrators Description: DNS Administrators Missing permissions I think the reason is that the permissions are in a wrong order in the LDIF and are created before the privilege itself. When member links are being created for DNS permissions, the memberof plugin cannot add memberof attributes for the privilege since it does not exist yet. This is the main issue that the BZ bug complains about. Martin There are two problems: 1. The acis lacked a prefix so they didn't appear as permissions 2. The permission was added before the privilege so the memberof values weren't being calculated. This fixes it for new installs and adds an update to fix up existing installs. rob It works fine when doing upgrade. However, when running a clean install, I get these errors: # ipa-server-install --setup-dns ... [9/13]: publish CA cert [10/13]: creating a keytab for httpd [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates root: ERRORAdd failure Object class violation: missing required attribute objectclass root: ERRORAdd failure Object class violation: missing required attribute objectclass root: ERRORAdd failure Object class violation: missing required attribute objectclass Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. Restarting the directory server Restarting the KDC Restarting the web server Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. == Setup complete Do you hit this too? Permissions and privileges member attributes were OK though. Martin Bah, ok. We only create these permissions when dns is installed so I'll need to find some way to optionally add this. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Upgrading due to proxy changes
Adam Young wrote: Upgrading from a system that had an earlier version of IPA to the current is broken right now, due to the fact that the new code expects to talk to the Certificate Authority (CA) via the proxy ports (80, 443), and the old code used non standard ports (above 8000). IPA needs to make two changes during upgrade. I'm trying to figure out the right place to make them. The first change is to /etc/httpd/conf.d/nss.conf. The function to make the change during install is: ipaserver/install/httpinstance.py self.__enable_mod_nss_renegotiate which just makes these two method calls. installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False) installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',False) Seems to me that they should be added to install/tools/ipa-upgradeconfig, possibly the main, or a function called from it. Should I move the call enable_mod_nss_renegotiate into installutils and call it from both places instead of having it in httpinstance? You can create an HTTPInstance object and just call them directly, that is probably best. fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') http = httpinstance.HTTPInstance(fstore) http.enable_mod_nss_renegotiate() You'll need to make the method public, drop the __. The other change is a little trickier. If the PKI server has not yet had the proxy enabled, we need to run the script pki-setup-proxy. To test if we should call that script, Ade and I have agreed that the best way is to test in CS.conf for changes made: The values proxy.securePort and proxy.unsecurePort should be set. Is there an appropriate tool for making this check? someting from installutils? I'm guessing get_directive('/etc/pki-ca/CS.cfg','proxy.securePort' , '=')? I guess I'd have preferred that the upgrade script be robust enough to be run any time. Given the circumstances this looks ok. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0286-split-metadata-call
Even if ACKed, don't push this patch alone. It is part of some work that Petr V is going to be doing as part of fixing https://fedorahosted.org/freeipa/ticket/1933. From b5b93109a9035557770f0959e21f4310bac5b7ba Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Thu, 6 Oct 2011 16:38:01 -0400 Subject: [PATCH] split metadata call The JSON metadata call has grown large enough that parsing it requires too much stack space on some browsers. TO avoid breaking the API, this change reuses some testing parameters that we established for the metadata call in the past. To fetch just the objects call it like this: {method:json_metadata,params:[[all,],{}],id:0} And just the methods call it like this: {method:json_metadata,params:[[,all],{}],id:0} Note the difference in the positional parameters. To get a specific object, pass the object name as the first parameter. To get a specific method, pass a blank first parameter and the method name in the second parameter. THis is not ideal, but we are constrained by the existing API. --- ipalib/plugins/internal.py | 32 ++-- 1 files changed, 18 insertions(+), 14 deletions(-) diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py index ce6f2548965846eb1f28ccf1814902958b4f5a26..8c5b0955b1c2e2c1c0c2b15c0e026e24f9b3eefe 100644 --- a/ipalib/plugins/internal.py +++ b/ipalib/plugins/internal.py @@ -54,25 +54,29 @@ class json_metadata(Command): ) def execute(self, objname, methodname): +objects = dict() +methods = dict() -if objname and objname in self.api.Object: - -objects = dict( -(objname, json_serialize(self.api.Object[objname])) -) - +if objname : +if objname in self.api.Object: +o = self.api.Object[objname] +objects = dict([(o.name, json_serialize(o))]) +elif objname == all: +objects = dict( +(o.name, json_serialize(o)) for o in self.api.Object() +) +elif methodname: +if methodname in self.api.Method: +m = self.api.Method[methodname] +methods = dict([(m.name, json_serialize(m))]) +elif methodname == all: +methods = dict( +(m.name, json_serialize(m)) for m in self.api.Method() +) else: objects = dict( (o.name, json_serialize(o)) for o in self.api.Object() ) - -if methodname and methodname in self.api.Method: - -methods = dict( -(methodname, json_serialize(self.api.Method[methodname])) -) - -else: methods = dict( (m.name, json_serialize(m)) for m in self.api.Method() ) -- 1.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 887 add missing aci prefix to dns acis
Rob Crittenden wrote: Martin Kosek wrote: On Thu, 2011-10-06 at 14:05 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-10-05 at 17:18 -0400, Rob Crittenden wrote: The aci prefix was missing in the description of the three dns acis which made them not show up when viewing their permission entries. rob This works fine, but it is just a part of a solution. DNS related privileges miss memberof attribute for the DNS permissions and thus the permissions are not listed: # ipa permission-show add dns entries Permission name: add dns entries Permissions: add Type: dnsrecord Granted to Privilege: DNS Administrators, DNS Servers # ipa privilege-show DNS Administrators Privilege name: DNS Administrators Description: DNS Administrators Missing permissions I think the reason is that the permissions are in a wrong order in the LDIF and are created before the privilege itself. When member links are being created for DNS permissions, the memberof plugin cannot add memberof attributes for the privilege since it does not exist yet. This is the main issue that the BZ bug complains about. Martin There are two problems: 1. The acis lacked a prefix so they didn't appear as permissions 2. The permission was added before the privilege so the memberof values weren't being calculated. This fixes it for new installs and adds an update to fix up existing installs. rob It works fine when doing upgrade. However, when running a clean install, I get these errors: # ipa-server-install --setup-dns ... [9/13]: publish CA cert [10/13]: creating a keytab for httpd [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates root : ERROR Add failure Object class violation: missing required attribute objectclass root : ERROR Add failure Object class violation: missing required attribute objectclass root : ERROR Add failure Object class violation: missing required attribute objectclass Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. Restarting the directory server Restarting the KDC Restarting the web server Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. == Setup complete Do you hit this too? Permissions and privileges member attributes were OK though. Martin Bah, ok. We only create these permissions when dns is installed so I'll need to find some way to optionally add this. rob I needed to add a new type to the updater to only add new values if the entry exists. rob From 5b42fd757840c088323f589cfb26b4607b892958 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Wed, 5 Oct 2011 17:16:05 -0400 Subject: [PATCH] Fix DNS permissions and membership in privileges This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898 --- install/share/dns.ldif | 46 +- install/tools/man/ipa-ldap-updater.1 |1 + install/updates/40-delegation.update |6 install/updates/40-dns.update| 22 install/updates/Makefile.am |1 + ipaserver/install/ldapupdate.py | 16 ++- 6 files changed, 67 insertions(+), 25 deletions(-) create mode 100644 install/updates/40-dns.update diff --git a/install/share/dns.ldif b/install/share/dns.ldif index dc79222..1ffadb5 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -4,6 +4,29 @@ objectClass: nsContainer objectClass: top cn: dns +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = ldap:///idnsname=*,cn=dns,$SUFFIX;)(version 3.0;acl permission:add dns entries;allow (add) groupdn = ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX;) +aci: (target = ldap:///idnsname=*,cn=dns,$SUFFIX;)(version 3.0;acl permission:remove dns entries;allow (delete) groupdn = ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX;) +aci: (targetattr = idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || record || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord ||
[Freeipa-devel] [PATCHES] 0287 and 0288 for Proxy upgrade
Not yet ready for prime time. I've tested the changes to updateinstance by hand, so I know they work. I'm having problems with the python import setup. RPM build fails with: install/tools/ipa-upgradeconfig:36: [F0401] Unable to import 'installutils' And, if I uncomment the import for http utils, I get an error at run time as well. That confuses me, as I am able to import installutils at runtime. From 84c7617d408ff55e409ed93c88c59ec073959f54 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Thu, 6 Oct 2011 20:37:57 -0400 Subject: [PATCH 287/288] Make nss_mod config options change a public function --- ipapython/services.py | 48 + ipaserver/install/httpinstance.py |4 +- 2 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 ipapython/services.py diff --git a/ipapython/services.py b/ipapython/services.py new file mode 100644 index ..c27c4865f1f86100ae4924239b9212e305384223 --- /dev/null +++ b/ipapython/services.py @@ -0,0 +1,48 @@ +# Authors: Alexander Bokovoy aboko...@redhat.com +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. + +# authconfig is an entry point to platform-provided AuthConfig implementation +# (instance of ipapython.platform.base.AuthConfig) +authconfig = None + +# knownservices is an entry point to known platform services +# (instance of ipapython.platform.base.KnownServices) +knownservices = None + +# service is a class to instantiate ipapython.platform.base.PlatformService +service = None + +# restore context default implementation that does nothing +def restore_context_default(filepath): +return + +# Restore security context for a path +# If the platform has security features where context is important, implement your own +# version in platform services +restore_context = restore_context_default + +# Default implementation of backup and replace hostname that does nothing +def backup_and_replace_hostname_default(fstore, statestore, hostname): +return + +# Backup and replace system's hostname +# Since many platforms have their own way how to store system's hostname, this method must be +# implemented in platform services +backup_and_replace_hostname = backup_and_replace_hostname_default + +from ipapython.platform.redhat import * diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index dbb0dd500891441e06087b3ddeeb91429e358f84..a485991c95d5c800b212ddcf993ba5e48f8a 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -76,7 +76,7 @@ class HTTPInstance(service.Service): self.step(disabling mod_ssl in httpd, self.__disable_mod_ssl) self.step(setting mod_nss port to 443, self.__set_mod_nss_port) self.step(setting mod_nss password file, self.__set_mod_nss_passwordfile) -self.step(enabling mod_nss renegotiate, self.__enable_mod_nss_renegotiate) +self.step(enabling mod_nss renegotiate, self.enable_mod_nss_renegotiate) self.step(adding URL rewriting rules, self.__add_include) self.step(configuring httpd, self.__configure_http) self.step(setting up ssl, self.__setup_ssl) @@ -166,7 +166,7 @@ class HTTPInstance(service.Service): def __set_mod_nss_nickname(self, nickname): installutils.set_directive(NSS_CONF, 'NSSNickname', nickname) -def __enable_mod_nss_renegotiate(self): +def enable_mod_nss_renegotiate(self): installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False) installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',False) -- 1.7.6 From fe28296030abe227e7d3787d7a151ec88619779d Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Thu, 6 Oct 2011 20:37:18 -0400 Subject: [PATCH 288/288] upgrade pki proxy setup Does not yet use httpinstance --- install/tools/ipa-upgradeconfig | 19 +-- 1 files changed, 17 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 1b08382e40788b9be80d538607bd605320279d8e..91534c2feb71959be2874b156f92ca15e1b4d822 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -25,12 +25,15 @@ Upgrade configuration
Re: [Freeipa-devel] [PATCH] 134 Improve handling of GIDs when migrating groups
Martin Kosek wrote: On Wed, 2011-10-05 at 13:44 -0400, Rob Crittenden wrote: Martin Kosek wrote: Since IPA v2 server already contain predefined groups that may collide with groups in migrated (IPA v1) server (for example admins, ipausers), users having colliding group as their primary group may happen to belong to an unknown group on new IPA v2 server. Implement --group-overwrite-gid option to overwrite GID of already existing groups to prevent this issue. https://fedorahosted.org/freeipa/ticket/1866 For argument's sake, what is the user going to see the first time they run this? I assume they won't think about these duplicate groups and just do the migration. This means that the result may be some users pointing to non-existent GIDs. At first I was thinking about making the GID the default behavior and just add flag --dont-overwrite-gid. But I was afraid this could do some damage and change GIDs where it is not required. However, I made some improvements in this area, please see below. If they re-run the migration with this option will it then fix everything up? Yep. I'm wondering if we need a --test argument so people can run the migration w/o writing entries to look for problems like this. rob If we want to do this, we would have to add a lot of LDAP query checks since mostly try doing the LDAP write and write failures in case of an exception. However, I updated the patch so that user is notified about existence of --group-overwrite-gid option better. If a migration of a group with a GID number fails because of DuplicateError, a notice about GID is displayed. This should make him check this situation and either use group-mod --gidnumber=... or re-run the migration with --group-overwrite-gid. I also updated the Password option not to ask user for LDAP password twice, because it makes me really mad :-) Martin # ipa migrate-ds ldap://panther.greyoak.com --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --user-ignore-objectclass=radiusprofile Password: ipa: ERROR: an internal error has occurred [Thu Oct 06 21:28:49 2011] [error] ipa: ERROR: non-public: TypeError: _post_migrate_user() got an unexpected keyword argument 'options' [Thu Oct 06 21:28:49 2011] [error] Traceback (most recent call last): [Thu Oct 06 21:28:49 2011] [error] File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 223, in wsgi_execute [Thu Oct 06 21:28:49 2011] [error] result = self.Command[name](*args, **options) [Thu Oct 06 21:28:49 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 432, in __call__ [Thu Oct 06 21:28:49 2011] [error] ret = self.run(*args, **options) [Thu Oct 06 21:28:49 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 738, in run [Thu Oct 06 21:28:49 2011] [error] return self.execute(*args, **options) [Thu Oct 06 21:28:49 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/plugins/migration.py, line 633, in execute [Thu Oct 06 21:28:49 2011] [error] ldap, config, ds_ldap, ds_base_dn, options [Thu Oct 06 21:28:49 2011] [error] File /usr/lib/python2.7/site-packages/ipalib/plugins/migration.py, line 602, in migrate [Thu Oct 06 21:28:49 2011] [error] options = options, [Thu Oct 06 21:28:49 2011] [error] TypeError: _post_migrate_user() got an unexpected keyword argument 'options' rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0287 and 0288 for Proxy upgrade
Adam Young wrote: Not yet ready for prime time. I've tested the changes to updateinstance by hand, so I know they work. I'm having problems with the python import setup. RPM build fails with: install/tools/ipa-upgradeconfig:36: [F0401] Unable to import 'installutils' And, if I uncomment the import for http utils, I get an error at run time as well. That confuses me, as I am able to import installutils at runtime. I think these patches fix it. Please double check my comments. I tested this on a non-updated dogtag install (e.g. it doesn't have the new script) and it didn't seem to break anything. rob From ddbb78fde74e07e67805ed0a3aee22a4e8aaf8d5 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Thu, 6 Oct 2011 20:37:57 -0400 Subject: [PATCH 1/2] Make mod_nss renegotiation configuration a public function --- ipaserver/install/httpinstance.py |8 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index dbb0dd5..c5c047c 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -76,7 +76,7 @@ class HTTPInstance(service.Service): self.step(disabling mod_ssl in httpd, self.__disable_mod_ssl) self.step(setting mod_nss port to 443, self.__set_mod_nss_port) self.step(setting mod_nss password file, self.__set_mod_nss_passwordfile) -self.step(enabling mod_nss renegotiate, self.__enable_mod_nss_renegotiate) +self.step(enabling mod_nss renegotiate, self.enable_mod_nss_renegotiate) self.step(adding URL rewriting rules, self.__add_include) self.step(configuring httpd, self.__configure_http) self.step(setting up ssl, self.__setup_ssl) @@ -166,9 +166,9 @@ class HTTPInstance(service.Service): def __set_mod_nss_nickname(self, nickname): installutils.set_directive(NSS_CONF, 'NSSNickname', nickname) -def __enable_mod_nss_renegotiate(self): -installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False) -installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',False) +def enable_mod_nss_renegotiate(self): +installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on', False) +installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) def __set_mod_nss_passwordfile(self): installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf') -- 1.7.6.4 From 41f6544ea55afd0229e18769853c1e6227baa191 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Thu, 6 Oct 2011 20:37:18 -0400 Subject: [PATCH 2/2] Execute pki proxy setup when server is upgraded if needed --- install/tools/ipa-upgradeconfig | 23 +-- 1 files changed, 21 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 1b08382..406da93 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -25,7 +25,10 @@ Upgrade configuration files to a newer template. import sys try: -from ipapython import ipautil +from ipapython import ipautil, sysrestore +from ipaserver.install import installutils +from ipaserver.install import dsinstance +from ipaserver.install import httpinstance import krbV import re import os @@ -135,6 +138,22 @@ def check_certs(): print Missing Certification Authority file. print You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt +def upgrade_pki(): + +Update/add the dogtag proxy configuration. The IPA side of this is +handled in ipa-pki-proxy.conf. + +This requires enabling SSL renegotiation. + +fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') +http = httpinstance.HTTPInstance(fstore) +http.enable_mod_nss_renegotiate() +if not installutils.get_directive('/etc/pki-ca/CS.cfg', + 'proxy.securePort', '=') and \ +os.path.exists('/usr/bin/pki-setup-proxy'): +ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib' + ,'-pki_instance_name=pki-ca','-subsystem_type=ca']) + def main(): Get some basics about the system. If getting those basics fail then @@ -162,7 +181,7 @@ def main(): upgrade(sub_dict, /etc/httpd/conf.d/ipa.conf, ipautil.SHARE_DIR + ipa.conf) upgrade(sub_dict, /etc/httpd/conf.d/ipa-rewrite.conf, ipautil.SHARE_DIR + ipa-rewrite.conf) upgrade(sub_dict, /etc/httpd/conf.d/ipa-pki-proxy.conf, ipautil.SHARE_DIR + ipa-pki-proxy.conf, add=True) - +upgrade_pki() try: if __name__ == __main__: sys.exit(main()) -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining the domain
Alexander Bokovoy wrote: On Wed, 05 Oct 2011, Rob Crittenden wrote: I ended up not using raiseonerr=False as all I needed is a way to break out of the loop on success so that will come sequentially if there is no exception. Patch attached. This works but there is a noticeable pause on my system when ntpdate is being run. I think it would be handy to output a message saying that the date is being updated. I'll add the message. Is it necessary to sync the date when a one-time password is being used? It doesn't hurt but it does pause a second or three. If I understand correctly, our use of OTP term for hosts is different from what current IETF draft on OTP preauth with kerberos assumes. At least, according to IETF draft on OTP preauth with kerberos, http://tools.ietf.org/html/draft-ietf-krb-wg-otp-preauth-19#section-2.4 client has to submit next key if clocks have drifted which implies you cannot re-use the same OTP next time. To me this looks like in OTP case clocks synchronization is very important. In our OTP case it does not matter except for an artificial delay... I've added the message. I modified the commit message a bit to prevent wrapping. Pushed to master and ipa-2-1 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 138 Prevent collisions of hostgroup and netgroup
Martin Kosek wrote: On Wed, 2011-10-05 at 16:43 -0400, Rob Crittenden wrote: Martin Kosek wrote: For every hostgroup a managed netgroup is created (if this is allowed). Make sure that if a stand-alone netgroup exists, a hostgroup with the same name cannot be created to prevent collisions. https://fedorahosted.org/freeipa/ticket/1914 You need to check to see if the managed entries configuration is enabled before doing this. If it is disabled then having duplicate names is fine (though re-enabling it later would have undefined consequences). rob Are you sure about this? If somebody disables the netgroup managed entry plugin for some reason and later would want to enable it again he could run into trouble with duplicate entries (as you mentioned). Personally I would leave the patch as is. If you are sure this needs to be done, I can make the check using the same LDAP query for NGP Defition that ipa-managed-entries does. Martin ack, pushed to master and ipa-2-1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 888 always verify hostname
When installing with DNS we skip a few hostname checks on the assumption that the DNS we are installing will cover things. We still need to verify /etc/hosts and we do this with gethostbyname_ex() which returns the primary name and all other names of the host. If the primary name doesn't match (e.g. the shortname is defined first in /etc/hosts) or it isn't resolvable at all then we error out. This also prevents a chicken-and-egg error as several services need to start before DNS is available so the hostname must be defined. rob From 61eca7977029bb9794d03b1498292d7f3569ddce Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 6 Oct 2011 17:11:58 -0400 Subject: [PATCH] Require hostname be resolveable and sane, even with --setup-dns When installing with DNS we skip a bunch of checks because we assume the DNS server itself will handle things. We still need to double-check that /etc/hosts is sane (and configured). https://fedorahosted.org/freeipa/ticket/1923 --- ipaserver/install/installutils.py |7 +++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index ac1e3f4..828c84f 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -142,6 +142,13 @@ def verify_fqdn(host_name, no_host_dns=False, system_name_check=True): print Warning: The host name '%s' does not match the system host name '%s'. % (host_name, system_host_name) print Some services may not work properly. +try: +ex_name = socket.gethostbyname_ex(host_name) +if host_name != ex_name[0]: +raise RuntimeError(The host name %s does not match the primary host name %s % (host_name, ex_name[0])) +except socket.gaierror: +raise RuntimeError(The host name %s is not resolvable. It must appear in at least /etc/hosts. % host_name) + if no_host_dns: print Warning: skipping DNS resolution of host, host_name return -- 1.7.6.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 020 Fixed links to images in config and migration pages
On 10/6/2011 8:42 AM, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/1932 Description of problem: Title is missing while configuring browser for the first time. Actual results: There is no title on this screen. I noticed it only on step 8 and later so I am not sure if title is also missing earlier at step 6 or not. Expected results: Title Identity Management is always present. Fixed: * modified paths to images * fixed padding in ssbrowser.html * moved browser icons to ui folder * deleted unused images in html and migration folders (they are already in ui folder, and weren't deployed) ACK and pushed to master and ipa-2-1. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel