Re: [Freeipa-devel] [PATCH] 417 Regression fix: missing control buttons in nested search facets
On 05/29/2013 01:43 PM, Ana Krivokapic wrote: On 05/29/2013 10:38 AM, Petr Vobornik wrote: Automount maps, keys and dnsrecord search facet are missing control buttons (add, delete, refresh). Regression introduced by 6e90920233cc9a7c9feb040dea22cda837715c39 - 'Move spec modifications from facet factories to pre_ops'. https://fedorahosted.org/freeipa/ticket/3605 This fixes the issue, ACK. Pushed to master, ipa-3-2. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Minor error: format not a string literal and no format arguments [-Werror=format-security]
On 06/02/2013 06:48 AM, Diane Trout wrote: I wasn't subscribed to the list before, so here's the git formatted patch you were asking for. Diane Sumit already ACKed the patch, I pushed it to master and ipa-3-2 branches. Thanks for the patch. We appreciate efforts in making FreeIPA available in other platforms, patches welcome. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0159] Deprecate configuration without persistent search
On 31.5.2013 16:01, Tomas Hozza wrote: ACK. Pushed to master: 7b685ff7077d10c1917c5a9a97b50d77587b8f04 Looks good. Regards, Tomas Hozza - Original Message - On 28.5.2013 15:55, Petr Spacek wrote: Hello, Deprecate configuration without persistent search. https://fedorahosted.org/bind-dyndb-ldap/ticket/120 This version of the patch adds notice to the README. -- Petr^2 Spacek -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0160] Fix crash triggered by missing sasl_user parameter
On 31.5.2013 14:07, Tomas Hozza wrote: ACK Pushed to master: 65de3f4d5718edf27899cf90389cb7cb15f5d725 Works as expected. Regards, Tomas Hozza - Original Message - Hello, Fix crash triggered by missing sasl_user parameter. -- Petr^2 Spacek -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0161] Validate authentication settings strictly
On 31.5.2013 15:21, Tomas Hozza wrote: ACK. Pushed to master: d6d8e23e2a7a6e2d2b9d34e957d32f620edf96d0 Works OK. Regards, Tomas Hozza - Original Message - Hello, Validate authentication settings strictly. - auth_method 'SASL' do not accept bind_dn and password options - auth_method 'simple' do not accept sasl_* and krb5_* options - auth_method 'none' do not accept any of options above -- Petr^2 Spacek -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Announcing FreeIPA 3.1.5
The FreeIPA team is proud to announce version FreeIPA v3.1.5. It can be downloaded from http://www.freeipa.org/page/Downloads. The new version has also been built for Fedora 18 and is on its way to updates-testing: https://admin.fedoraproject.org/updates/freeipa-3.1.5-1.fc18 == Highlights in 3.1.5 == === Bug fixes === * Directory Server CLDAP responder now returns a result in all cases to avoid timeouts or freezes with Windows DC or other tools probing this interface. == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 is supported. Upgrading from previous versions is not supported and has not been tested. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list: http://www.redhat.com/mailman/listinfo/freeipa-users == Detailed Changelog since 3.1.4 == Alexander Bokovoy (1) * Fix cldap parser to work with a single equality filter (NtVer=...) Martin Kosek (1): * Become IPA 3.1.5 Petr Viktorin (1): * Remove leading zero from IPA_NUM_VERSION Simo Sorce (2): * CLDAP: Fix domain handling in netlogon requests * CLDAP: Return empty reply on non-fatal errors ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin
Hi, Default list of attributes that are checked with 7-bit plugin for being 7-bit clean includes userPassword. Consecutively, one is unable to set passwords that contain non-ascii characters. https://fedorahosted.org/freeipa/ticket/3640 Tomas From 0ad7f3ee2c20f668bc64a2856ce444d31df65c3f Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Mon, 3 Jun 2013 09:56:08 +0200 Subject: [PATCH] Do not check userPassword with 7-bit plugin Default list of attributes that are checked with 7-bit plugin for being 7-bit clean includes userPassword. Consecutively, one is unable to set passwords that contain non-ascii characters. https://fedorahosted.org/freeipa/ticket/3640 --- install/updates/50-7_bit_check.update | 3 +++ install/updates/Makefile.am | 1 + 2 files changed, 4 insertions(+) create mode 100644 install/updates/50-7_bit_check.update diff --git a/install/updates/50-7_bit_check.update b/install/updates/50-7_bit_check.update new file mode 100644 index ..cef3159b6ac2586bbac42112d3e86b073b8faa3d --- /dev/null +++ b/install/updates/50-7_bit_check.update @@ -0,0 +1,3 @@ +# Remove userPassword from the list of attributes checked by 7-bit plugin +dn: cn=7-bit check,cn=plugins,cn=config +replace:nsslapd-pluginarg2:userpassword::mail \ No newline at end of file diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 787a51cfcc574b8d4e0a11b749c1c8aee76e7977..5336f62ed97aba125ca8f1ae7c3e3505bb7ff3ea 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -35,6 +35,7 @@ app_DATA =\ 40-automember.update \ 40-otp.update \ 45-roles.update \ + 50-7_bit_check.update \ 50-lockout-policy.update \ 50-groupuuid.update \ 50-hbacservice.update \ -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin
Hi, On 3.6.2013 13:10, Tomas Babej wrote: Hi, Default list of attributes that are checked with 7-bit plugin for being 7-bit clean includes userPassword. Consecutively, one is unable to set passwords that contain non-ascii characters. https://fedorahosted.org/freeipa/ticket/3640 Tomas what is the idea behind this: +replace:nsslapd-pluginarg2:userpassword::mail why not use remove instead of replace? Also please add the missing newline at the end of the update file. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [RFE] Integration testing
Hello, A design document for integration testing is available at http://www.freeipa.org/page/V3/Integration_testing. I've copied it below for easier quoting. __NOTOC__ = Overview = Make it possible to write and run multi-host integration tests (such as: install master replica, add user on replica, verify it's added on master). These tests will be run from continuous integration. Any developer can also run them manually. = Use Cases = == Continuous integration == The developer team at Red Hat will run a Jenkins continuous integration server that will run the tests automatically (after each commit if resources are available). The CI results will be posted publicly. == Developer testing == Anyone is be able to run integration tests without advanced infrastructure, only a number of virtual machines to run the tests on is needed. == Beaker integration == The tests will run seamlessly inside [http://beaker-project.org/ Beaker]/[https://fedoraproject.org/wiki/QA/RHTS RHTS]. A special option enables reporting via BeakerLib. = Non-goals = A complete testing/continuous integration setup needs some steps that will not be included in IPA's test suite: * Building the code * VM provisioning !-- There are just too many disparate ways to do it; people with a virtual datacenter should already have a preferred tool. If we come up with something for ourselves we'll have to make too many assumptions for it to be useful somewhere else. -- * Configuring the basic system, installing the packages !-- Again support for this can be added in the future. (Release Puppet/Ansible configuration?) -- = Design= The Python package with the IPA test suite is renamed to ttipatests/tt, and packaged for RPM-based systems as ttfreeipa-tests/tt. Eventually the package will be included in Fedora. Integration tests will be controlled from a single machine, and executed on a number of remote machines that act as servers, replicas, clients, etc. The controlling machine communicates with the others via the SSH protocol. (The controlling machine may be the same as one of the remote ones.) Integration tests are included in the main IPA set suite, and configured using environment variables. If the variables are missing, all integration tests are skipped. If an insufficient number of hosts is configured for a test, the individiual test will be skipped. A tool is provided to run installed tests. The remote machines used for integration testing are required to have relevant IPA packages installed, firewall opened up, any needed workarounds applied (RPM downgrades, SELinux mode,...), and sshd set up to allow root login. The test runner will connect to these machines, install IPA, perform the tests, and then uninstall IPA return the systems to their previous state. A plugin for integration with BeakerLib is provided. = Test configuration = Tests are configured using these environment variables. == Host configuration == ; $MASTER : FQDN of the first IPA server ; $REPLICA : FQDNs of other IPA servers (space-separated) ; $CLIENT : FQDNs of IPA clients (space-separated) ; $MASTER_env2, $REPLICA_env2, $CLIENT_env2, $MASTER_env3, ... : can be used for additional domains when needed DNS needs to be set up so that IP addresses can be obtained for these hosts. == Basic configuration == ; $IPATEST_DIR : Directory for test data on the remote hosts : Default: /root/ipatests ; $DNSFORWARD : IP of a DNS forwarder : Default: 8.8.8.8 == Test customization == ; $DOMAIN : IPA domain name : Default: taken from $MASTER ; $NISDOMAIN : NIS domain name : Default: ipatest ; $NTPSERVER : NIS domain name : Default: ipatest ; $IPv6SETUP : Set to TRUE for IPv6-only connectivity ; $IPADEBUG : Set to enable test debugging ; $ADMINID : Admin username : Default: admin ; $ADMINPW : Admin user password : Default: Secret123 ; $ROOTDN : Directory manager DN : Default: cn=Directory Manager ; $ROOTDNPWD : Directory manager password : Default: Secret123 = Supporting tools = == ipa-test-config == This tool reads the configuration variables above and outputs a Bash script that sets a much more complete set of variables for easy shell-based testing or test set-up. Without arguments, ttipa-test-config/tt outputs information specific to the host it is run on. When given a hostname, it prints config for that host. With the tt--global/tt flag, it outputs configuration common to all hosts. == ipa-run-tests == This tool is a wrapper arount ttnosetests/tt and accepts the same arguments as Nose. It loads any additional plugins and runs tests from the system-installed IPA test suite. == Other == TBD: Additional command-line tools may be provided for tasks such as installing IPA in a given topology. = Implementation = Test cases are implemented as Nose test classes, with installation/uninstallation as class setup/teardown. A BeakerLib plugin is provided that starts/ends
[Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
Hi, this patch fixes the installation problems on master on F19 with krb5 packages = 1.11.2-6 https://fedorahosted.org/freeipa/ticket/3666 Tomas From f3e6b38bee50bf5856ae04bfb6ccd109b636f037 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Mon, 3 Jun 2013 12:06:06 +0200 Subject: [PATCH] Use private ccache in ipa-server-install https://fedorahosted.org/freeipa/ticket/3666 --- install/tools/ipa-server-install | 10 ++ 1 file changed, 10 insertions(+) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 62adbd5bc5183793f3371e46e276b9ad20077b84..db29ac3a79228ae44435630e2ad9fb6bd1145ada 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -1210,6 +1210,7 @@ def main(): if __name__ == '__main__': success = False + try: # FIXME: Common option parsing, logging setup, etc should be factored # out from all install scripts @@ -1219,11 +1220,20 @@ if __name__ == '__main__': else: log_file_name = /var/log/ipaserver-install.log +# Use private ccache +(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc') +os.environ['KRB5CCNAME'] = cache_path + installutils.run_script(main, log_file_name=log_file_name, operation_name='ipa-server-install') success = True finally: +# Remove private ccache +os.close(cache_desc) +if os.path.exists(cache_path): +os.remove(cache_path) + if not success and installation_cleanup: # Do a cautious clean up as we don't know what failed and what is # the state of the environment -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin
On 06/03/2013 01:32 PM, Jan Cholasta wrote: Hi, On 3.6.2013 13:10, Tomas Babej wrote: Hi, Default list of attributes that are checked with 7-bit plugin for being 7-bit clean includes userPassword. Consecutively, one is unable to set passwords that contain non-ascii characters. https://fedorahosted.org/freeipa/ticket/3640 Tomas what is the idea behind this: +replace:nsslapd-pluginarg2:userpassword::mail why not use remove instead of replace? Because of https://fedorahosted.org/389/ticket/47370, I found - DS would crash. In this update, I would like to operate only with this one attribute to avoid shifting the whole nsslapd-pluginargX array if we chose to remove nsslapd-pluginarg2. I thought that the safest approach would be to simply replace nsslapd-pluginarg2 with an already checked value, thus creating a safe NOOP. But I am open to other values leading to not checking userPassword attribute + changing nsslapd-pluginarg2 only. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin
On 3.6.2013 14:55, Martin Kosek wrote: On 06/03/2013 01:32 PM, Jan Cholasta wrote: Hi, On 3.6.2013 13:10, Tomas Babej wrote: Hi, Default list of attributes that are checked with 7-bit plugin for being 7-bit clean includes userPassword. Consecutively, one is unable to set passwords that contain non-ascii characters. https://fedorahosted.org/freeipa/ticket/3640 Tomas what is the idea behind this: +replace:nsslapd-pluginarg2:userpassword::mail why not use remove instead of replace? Because of https://fedorahosted.org/389/ticket/47370, I found - DS would crash. In this update, I would like to operate only with this one attribute to avoid shifting the whole nsslapd-pluginargX array if we chose to remove nsslapd-pluginarg2. I thought that the safest approach would be to simply replace nsslapd-pluginarg2 with an already checked value, thus creating a safe NOOP. But I am open to other values leading to not checking userPassword attribute + changing nsslapd-pluginarg2 only. Martin I see. Anyway, I think there should be a comment in the update file explaining why replace is necessary. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0065] Use private ccache in ipa-server-install
On 06/03/2013 02:43 PM, Tomas Babej wrote: Hi, this patch fixes the installation problems on master on F19 with krb5 packages = 1.11.2-6 https://fedorahosted.org/freeipa/ticket/3666 Tomas 1) Leaving cache_desc open: +(cache_desc, cache_path) = tempfile.mkstemp(prefix='krbcc') +os.environ['KRB5CCNAME'] = cache_path Why do we keep the descriptor open and close it at the and of the installation? Can we close it right after tempfile.mkstemp? I think we do it this way in other places in installation. 2) What about other installers where we handle Kerberos auth, like ipa-{replica,dns,ca}-install? A common function, other shared means, of handling KRB5CCNAME may be appropriate to avoid duplicating code too much. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Do not check userPassword with 7-bit plugin
On 06/03/2013 01:10 PM, Tomas Babej wrote: Hi, Default list of attributes that are checked with 7-bit plugin for being 7-bit clean includes userPassword. Consecutively, one is unable to set passwords that contain non-ascii characters. https://fedorahosted.org/freeipa/ticket/3640 Tomas Proper explanation and missing newline added. Updated patch attached. Tomas From 11ae96664836427010d62c89e83a89480f02cca3 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Mon, 3 Jun 2013 09:56:08 +0200 Subject: [PATCH] Do not check userPassword with 7-bit plugin Default list of attributes that are checked with 7-bit plugin for being 7-bit clean includes userPassword. Consecutively, one is unable to set passwords that contain non-ascii characters. https://fedorahosted.org/freeipa/ticket/3640 --- install/updates/50-7_bit_check.update | 6 ++ install/updates/Makefile.am | 1 + 2 files changed, 7 insertions(+) create mode 100644 install/updates/50-7_bit_check.update diff --git a/install/updates/50-7_bit_check.update b/install/updates/50-7_bit_check.update new file mode 100644 index ..b9ea8a97d570e37b6337284358d40c05e32196b6 --- /dev/null +++ b/install/updates/50-7_bit_check.update @@ -0,0 +1,6 @@ +# Remove userPassword from the list of attributes checked by 7-bit plugin +# Replace argument value 'userPassword' with 'mail' to avoid the need to +# shift the whole argument array. Attribute 'mail' is already listed +# in pluginarg1, so it is conveniently used as valid value placeholder. +dn: cn=7-bit check,cn=plugins,cn=config +replace:nsslapd-pluginarg2:userpassword::mail diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 787a51cfcc574b8d4e0a11b749c1c8aee76e7977..5336f62ed97aba125ca8f1ae7c3e3505bb7ff3ea 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -35,6 +35,7 @@ app_DATA =\ 40-automember.update \ 40-otp.update \ 45-roles.update \ + 50-7_bit_check.update \ 50-lockout-policy.update \ 50-groupuuid.update \ 50-hbacservice.update \ -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [RFC] Serving legacy systems cliens for trusts
On Tue, May 28, 2013 at 02:50:59PM +0300, Alexander Bokovoy wrote: Hi, http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts === CLI === The feature is not directly exposed in CLI. IPA idrange management is expanded to specify idrange type (IPA local, AD trust, AD with winsync, IPA trust, ..) to affect the way how AD users SIDs are mapped to POSIX IDs. Hi, currently with algorithmic mapping we use user-private groups for all trusted user. This is in agreement with the defaults for IPA users and also matches with AD's RID handling because a single namespace for UIDs and GIDs is forced this way. When adding support for UIDs and GIDs stored in AD we cannot do this anymore because AD (correctly) treats POSIX UIDs and GIDs as separate name spaces. As a consequence SSSD has to treat algorithmic mapping and IDs-in-AD mapping differently with respect to user private groups. My question is, shall SSSD implicitly do the right thing based on the type of the idrange, or shall there be an extra attribute in the idrange object which explicitly says if the range has user private groups or not? I think it is not needed because for both current mappings there is only one choice but maybe someone can think of a reason for such an attribute. bye, Sumit ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix format string typo
Hi, this patch just fixes a typo. bye, Sumit From b4bf2704175de6ddf961e7447c57c5ced8cc0c5a Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 3 Jun 2013 14:05:03 +0200 Subject: [PATCH] Fix format string typo --- daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c index d7e6ac39a57ce26cf6ac7196a1797c44e5a65f77..fafc55a497620024e45186b48ed84029e273f5ef 100644 --- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c +++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c @@ -518,7 +518,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, ret = find_sid_for_id(id, plugin_id, base_dn, dom_sid, ranges, sid); if (ret != 0) { -LOG_FATAL(Cannot convert Posix ID [%ul] into an unused SID.\n, id); +LOG_FATAL(Cannot convert Posix ID [%lu] into an unused SID.\n, id); goto done; } -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix format string typo
On 06/03/2013 03:39 PM, Sumit Bose wrote: Hi, this patch just fixes a typo. bye, Sumit Obvious ACK. Pushed to master, ipa-3-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [RFC] Serving legacy systems cliens for trusts
On Fri, 31 May 2013, Simo Sorce wrote: On Fri, 2013-05-31 at 10:35 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Fri, 2013-05-31 at 16:35 +0300, Alexander Bokovoy wrote: On Fri, 31 May 2013, Simo Sorce wrote: On Fri, 2013-05-31 at 10:54 +0300, Alexander Bokovoy wrote: On Thu, 30 May 2013, Dmitri Pal wrote: [...] For Lunix and older SSSD version we in fact have a problem. What I want to avoid is to have to define procedures and patches for all ^^ ? the clients. However if you use ipa-client-install it would configure sssd the old way. How to make it configured the new way? Manually? This is error prone and people will be reluctant to reconfigure SSSD. Automatically? Means patches to all the versions of the clients. How we are going to deal with the huge test matrix? I think rolling out patches to old sssd versions is not a good idea and I think we won't have the time to prepare all the needed patches in a reasonable time-frame. For SSSD versions which do not allow multiple search bases (1.5 and 1.6) I would suggest to add a new domain section for the AD user with LDAP and Kerberos provider. This would allow IPA users to works as before and add the AD users to the client. Maybe this would also be a better solution for the other SSSD versions instead of multiple search bases, at least it's a solution for all versions. Since we have the python config API for SSSD the needed changes to the sssd.conf might be scriptable with a reasonable effort. Maybe this can be added to ipa-client-install with a new option like --enable-legacy-trust-support which can add the news section to existing configuration or include it for new installations? Bigger question is what is simpler: write configuration instructions or modify/provide additional script for old SSSD? Remeber that trusts with AD are most likely established when IPA clients are already rolled out. Changing ipa-client-install is not helpful for this case since the clients are already there. Perhaps a better approach would be documentation for non-SSSD case and a simple snippet that can be run alone or in use with puppet/etc to deploy massively. The snippet would use SSSDConfig Python API to add needed modifications to the clients' SSSD configuration. We can even extend IPA server tools to allow generating such snippets based on the trusts configuration. After all, we do have control over IPA server in such cases. I have updated wiki page with discussed ideas. Sorry but this is not enough. I do not see a discussion the design about the client side solutuon procedure. I am looking for a session that would contain a table (or like): -- | Type/Version of the client | Action| -- | Solaris/HP-UX/AIX (non sssd) | Configure manually to recognize AD as | || a domain following following steps ...| -- | Clients that have SSSD | If the client is already installed| | before 1.9 | and configured do X | || If it is a fresh install of the | || client do Y | -- | SSSD 1.9 and later | Use the following ipa-client-install | || flags XYZ and/or authconfig command | || ABC | -- Can something like this be added to wiki and corresponding tickets to provide a testable replacements for XYZ above be filed in trac? I've added more, including three tickets to cover specific configurations. Unfortunately, we have limits in multiple search bases approach by the commercial UNIX vendors since their LDAP modules do not support multiple search bases. For all of those platforms there is PADL pam_ldap available which can be used for the same purpose. If we still want to support native pam_ldap on Solaris (which don't work with multiple search bases), we'd have to merge LDAP trees. Alexander, in my initial proposal I said that trusted users should be put in the same tree as compat users, it was exactly to address this problem. We do not need to cause more problems by using multiple search trees IMO. Ok, since I wanted to re-use slapi-nis anyway, this only means adding one more config attribute to slapi-nis configuration that will ask it to look into NSS in addition to the main query. In which order these queries should be performed? first to LDAP then NSS or first to NSS then to LDAP? I guess the
[Freeipa-devel] [PATCHES 0061-0063] Extend ID range types rebased
Hi, Sending rebased versions on top of current master. Tomas From 589be38f4e34fc759fc9aff580f2d17e0eae52bb Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Thu, 30 May 2013 14:02:44 +0200 Subject: [PATCH 61/63] Add ipaRangeType attribute to LDAP Schema This adds a new LDAP attribute ipaRangeType with OID 2.16.840.1.113730.3.8.11.41 to the LDAP Schema. ObjectClass ipaIDrange has been altered to require ipaRangeType attribute. Part of https://fedorahosted.org/freeipa/ticket/3647 --- install/share/60basev3.ldif | 3 ++- install/updates/62-ranges.update | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 435948faefb66870aba20248ef88fae90505609c..b84789e25d75033f18fa5b70f69d852ddf35b7ca 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -37,6 +37,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'Fi attributeTypes: (2.16.840.1.113730.3.8.11.38 NAME 'ipaNTSIDBlacklistIncoming' DESC 'Extra SIDs filtered out from incoming MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3') attributeTypes: (2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DESC 'Extra SIDs filtered out from outgoing MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3') attributeTypes: (2.16.840.1.113730.3.8.11.40 NAME 'ipaUserAuthType' DESC 'Allowed authentication methods' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3') +attributeTypes: (2.16.840.1.113730.3.8.11.41 NAME 'ipaRangeType' DESC 'Range type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) @@ -49,7 +50,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.11 NAME 'ipaSshGroupOfPubKeys' ABSTRACT objectClasses: (2.16.840.1.113730.3.8.12.12 NAME 'ipaSshUser' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.13 NAME 'ipaSshHost' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY MAY ( uidNumber $ gidNumber $ ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) -objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize $ ipaRangeType ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' ) objectclasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3') diff --git a/install/updates/62-ranges.update b/install/updates/62-ranges.update index 79d5326d6000d038923b2a92dcdec98370fa90f4..c2eb6dca7077aebf56b06b39710b3c46db799aed 100644 --- a/install/updates/62-ranges.update +++ b/install/updates/62-ranges.update @@ -3,10 +3,12 @@ add:attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First va add:attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) add:attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) add:attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +add:attributeTypes: (2.16.840.1.113730.3.8.11.41 NAME 'ipaRangeType' DESC 'Range type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' ) add:objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject'
Re: [Freeipa-devel] [PATCH] 418 Make ssbrowser.html work in IE 10
On 05/29/2013 01:15 PM, Petr Vobornik wrote: Manual configuration page for other browsers (ssbrowser.html) doesn't work in IE 10 - error page is displayed. This patch is conditioning creation of Firefox configuration object so that configure.jar is requested only in Firefox. IE doesn't request it and so it does not fail. https://fedorahosted.org/freeipa/ticket/3645 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [RFC] Serving legacy systems cliens for trusts
On Mon, Jun 03, 2013 at 03:32:05PM +0200, Sumit Bose wrote: On Tue, May 28, 2013 at 02:50:59PM +0300, Alexander Bokovoy wrote: Hi, http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts === CLI === The feature is not directly exposed in CLI. IPA idrange management is expanded to specify idrange type (IPA local, AD trust, AD with winsync, IPA trust, ..) to affect the way how AD users SIDs are mapped to POSIX IDs. Hi, currently with algorithmic mapping we use user-private groups for all trusted user. This is in agreement with the defaults for IPA users and also matches with AD's RID handling because a single namespace for UIDs and GIDs is forced this way. When adding support for UIDs and GIDs stored in AD we cannot do this anymore because AD (correctly) treats POSIX UIDs and GIDs as separate name spaces. As a consequence SSSD has to treat algorithmic mapping and IDs-in-AD mapping differently with respect to user private groups. My question is, shall SSSD implicitly do the right thing based on the type of the idrange, or shall there be an extra attribute in the idrange object which explicitly says if the range has user private groups or not? I think it is not needed because for both current mappings there is only one choice but maybe someone can think of a reason for such an attribute. We discussed this a bit and came to the following agreement: - no extra attribute is needed - for all idranges type where IPA is assigning the ID user-private groups will be used (local IPA users, algorithmic mappings) - for all idranges where the IDs are managed by external sources we use what we get bye, Sumit bye, Sumit ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel