date:20140626


On Thu, 26 Jun 2014, Rob Townley wrote:

StartSSL has free ssl certs.
Very inexpensive wildcard certs ~$50.00.
StartCom CA that has been trusted by browsers for years.

We have proper certificate in place. This looks like OpenShift's
misconfiguration.

--
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0236] ipaldap: Fallback to string if datetime conversion went wrong


On 25.6.2014 18:25, Petr Viktorin wrote:

On 06/25/2014 05:29 PM, Jan Cholasta wrote:

Hi,

On 25.6.2014 17:17, Tomas Babej wrote:

Hi,

Our datetime conversion does not support full LDAP Generalized
time syntax. In the unsupported cases, we should fall back
to string representation of the attribute.

In particular, '0' is used to denote no value of LDAP generalized
time attribute.

https://fedorahosted.org/freeipa/ticket/4350


NACK, this beats the purpose of decoding of the values, because it
requires you to check the type of the value before using it.

Instead, you should either fix the code that uses the
nsds5ReplicaLastUpdate{Start,End} attributes to access their raw value
directly, or exclude the attributes from decoding to datetime by
overriding their type in IPASimpleLDAPObject._SYNTAX_OVERRIDE.

Honza



I agree that just returning a string when conversion fails is the wrong
thing to do.

I think that if LDAP generalized can contain the empty/invalid value, we
should convert the '0' to what Python uses for that -- None.



But None already means empty attribute.

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FYI: Cert for https://www.freeipa.org/ is invalid

2014-06-26 Thread Martin Kletzander


On Thu, Jun 26, 2014 at 01:23:44AM -0500, Rob Townley wrote:

StartSSL has free ssl certs.
Very inexpensive wildcard certs ~$50.00.
StartCom CA that has been trusted by browsers for years.


I've heard of free (or low-cost) SSL certs for open source software
and there should be a company providing SSL certs for domains as a
part of the ResetTheNet initiative [1], but right now, I'm unable to
find that, so I might have misunderstood some statement.

Martin

[1] https://www.resetthenet.org/


On Jun 26, 2014 12:29 AM, James purplei...@gmail.com wrote:


I think it's kind of funny that the cert for: https://www.freeipa.org/
is invalid, particularly since this is a security product.

In any case, feel free to forward to whoever maintains this in case
someone thinks it matters.

Cheers,
James

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


signature.asc
Description: Digital signature
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0236] ipaldap: Fallback to string if datetime conversion went wrong


On 06/26/2014 08:30 AM, Jan Cholasta wrote:

On 25.6.2014 18:25, Petr Viktorin wrote:

On 06/25/2014 05:29 PM, Jan Cholasta wrote:

Hi,

On 25.6.2014 17:17, Tomas Babej wrote:

Hi,

Our datetime conversion does not support full LDAP Generalized
time syntax. In the unsupported cases, we should fall back
to string representation of the attribute.

In particular, '0' is used to denote no value of LDAP generalized
time attribute.

https://fedorahosted.org/freeipa/ticket/4350


NACK, this beats the purpose of decoding of the values, because it
requires you to check the type of the value before using it.

Instead, you should either fix the code that uses the
nsds5ReplicaLastUpdate{Start,End} attributes to access their raw value
directly, or exclude the attributes from decoding to datetime by
overriding their type in IPASimpleLDAPObject._SYNTAX_OVERRIDE.

Honza



I agree that just returning a string when conversion fails is the wrong
thing to do.

I think that if LDAP generalized can contain the empty/invalid value, we
should convert the '0' to what Python uses for that -- None.



But None already means empty attribute.


I don't think you can get [None] currently, can you? None is the default 
default for get(), but I don't think that's a problem.


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES 202-222] Ipaplatform refactoring


On 06/25/2014 09:48 PM, Tomas Babej wrote:


On 06/25/2014 09:35 PM, Petr Viktorin wrote:

On 06/25/2014 07:16 PM, Tomas Babej wrote:


On 06/25/2014 04:59 PM, Tomas Babej wrote:


On 06/25/2014 04:13 PM, Tomas Babej wrote:


On 06/25/2014 04:01 PM, Tomas Babej wrote:


On 06/25/2014 10:48 AM, Petr Viktorin wrote:

On 06/19/2014 03:52 PM, Tomas Babej wrote:


On 06/19/2014 12:52 PM, Tomas Babej wrote:

On 06/18/2014 10:52 AM, Petr Viktorin wrote:

On 06/17/2014 02:15 PM, Tomas Babej wrote:

On 06/17/2014 12:03 PM, Timo Aaltonen wrote:

On 17.06.2014 11:16, Martin Kosek wrote:

Attached is a new version of patch 226, and a new patch 228,
which moves
the paths from installers to the paths module.

In patch 226, there's another certificated typo in
remove_ca_cert_from_systemwide_ca_store


I greped the repository, and I do not see many paths lurking
around any
more, there are only some in the error messages (as these
can't be
reliably replaced automatically, and will need some manual
love).

If you see any forgotten paths, which should be added to the
module, let
me know.


Well, since you asked...

install/tools/ipa-upgradeconfig:236:
ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib'
ipaserver/install/cainstance.py:1330: -pki_instance_root=/var/lib,

ipaserver/install/dsinstance.py:209:InstallLdifFile=
/var/lib/dirsrv/boot.ldif
ipaserver/install/dsinstance.py:210:inst_dir=
/var/lib/dirsrv/scripts-$SERVERID

ipaserver/install/ipa_backup.py:464:
'--exclude=/var/lib/ipa/backup',

ipatests/test_integration/tasks.py:451: host.run_command(find
/var/lib/sss/db -name '*.ldb' | 

install/tools/ipa-replica-conncheck:403:
/usr/sbin/ipa-replica-conncheck  +
install/tools/ipa-replica-conncheck:414:
print_info(/usr/sbin/ipa-replica-conncheck  + 
.join(remote_check_opts))

ipapython/ipautil.py:296:env[PATH] =
/bin:/sbin:/usr/kerberos/bin:/usr/kerberos/sbin:/usr/bin:/usr/sbin

ipaserver/install/cainstance.py:88:ConfigFile =
/usr/share/pki/ca/conf/database.ldif

ipaserver/install/bindinstance.py:829:
ipautil.run(['/usr/libexec/generate-rndc-key.sh'])



/me will think twice about teasing nex time.

This are paths requiring manual changes in one way or the other and
as such cannot be handled by my tool. Let's not stall the patcheset
on this. We can fix these (and surely there are other) as we go
along.


OK, not a reason to hold the patch back.
But, the fact that the tool can't handle them doesn't make them less
important. Let's keep the ticket open, or open a new one.


I guess it'll be a while before we catch them all, but now it's at
least clear where these paths should be, so anyone porting to
another distro can send patches (or tickets) upstream.


I see another duplicate:
  SSS_KRB5_INCLUDE_D = /var/lib/sss/pubconf/krb5.include.d
  SSSD_PUBCONF_KRB5_INCLUDE_D_DIR =
/var/lib/sss/pubconf/krb5.include.d/


Could you just pick one instead? Would ipa_backup.py break if it
had a trailing slash here?



Yes. I verified it produces the same result with or without trailing
slash, fixed.



In ipa-client-install, if you set:
 NSSWITCH_CONF = paths.NSSWITCH_CONF
then you should only use one of those later. (Preferably paths.*,
to get rid of the redundant constants.)
Perhaps this is for another patch that would clean up all the cases
where these trivial module variables are used.



I agree. Fixed this occurence.


I've opened an easyfix ticket for the rest:
https://fedorahosted.org/freeipa/ticket/4399


Fixed all mentioned issues. I also attached a patch 230, which
removes
the base Authconfig class.




Attaching one additional patch, which removes unnecessary build
warnings.



226, 230, 231 look good



Attaching whole updated patchset.


Attaching one more patch which should fix broken CI tests.



Self-NACK - It seems I omitted one occurence of NSSWITCH_CONF in
ipa-client-install, fixed now.

Attaching the whole patchset for your convenience.
--

Attaching a correct patchset this time.


I hate to break it to you, but...
 you sent the wrong patch 228 :(



No way! That's a official fail combo on my part. Here's the correct patch.


ACK, pushed to master: e5e42fc83ae74f0e0c68e68417a39fe6f2f2ae63





--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0236] ipaldap: Fallback to string if datetime conversion went wrong


On 26.6.2014 09:21, Petr Viktorin wrote:

On 06/26/2014 08:30 AM, Jan Cholasta wrote:

On 25.6.2014 18:25, Petr Viktorin wrote:

On 06/25/2014 05:29 PM, Jan Cholasta wrote:

Hi,

On 25.6.2014 17:17, Tomas Babej wrote:

Hi,

Our datetime conversion does not support full LDAP Generalized
time syntax. In the unsupported cases, we should fall back
to string representation of the attribute.

In particular, '0' is used to denote no value of LDAP generalized
time attribute.

https://fedorahosted.org/freeipa/ticket/4350


NACK, this beats the purpose of decoding of the values, because it
requires you to check the type of the value before using it.

Instead, you should either fix the code that uses the
nsds5ReplicaLastUpdate{Start,End} attributes to access their raw value
directly, or exclude the attributes from decoding to datetime by
overriding their type in IPASimpleLDAPObject._SYNTAX_OVERRIDE.

Honza



I agree that just returning a string when conversion fails is the wrong
thing to do.

I think that if LDAP generalized can contain the empty/invalid value, we
should convert the '0' to what Python uses for that -- None.



But None already means empty attribute.


I don't think you can get [None] currently, can you? None is the default
default for get(), but I don't think that's a problem.



You can't, but you can get it from single_value when the attribute is 
empty or assign it to an attribute to make it empty.


I would very much prefer if we avoided None, because it will only create 
mess and possibly some hard to catch errors.


--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0236] ipaldap: Fallback to string if datetime conversion went wrong


On 06/26/2014 09:33 AM, Jan Cholasta wrote:

On 26.6.2014 09:21, Petr Viktorin wrote:

On 06/26/2014 08:30 AM, Jan Cholasta wrote:

On 25.6.2014 18:25, Petr Viktorin wrote:

On 06/25/2014 05:29 PM, Jan Cholasta wrote:

Hi,

On 25.6.2014 17:17, Tomas Babej wrote:

Hi,

Our datetime conversion does not support full LDAP Generalized
time syntax. In the unsupported cases, we should fall back
to string representation of the attribute.

In particular, '0' is used to denote no value of LDAP generalized
time attribute.

https://fedorahosted.org/freeipa/ticket/4350


NACK, this beats the purpose of decoding of the values, because it
requires you to check the type of the value before using it.

Instead, you should either fix the code that uses the
nsds5ReplicaLastUpdate{Start,End} attributes to access their raw value
directly, or exclude the attributes from decoding to datetime by
overriding their type in IPASimpleLDAPObject._SYNTAX_OVERRIDE.

Honza



I agree that just returning a string when conversion fails is the wrong
thing to do.

I think that if LDAP generalized can contain the empty/invalid
value, we
should convert the '0' to what Python uses for that -- None.



But None already means empty attribute.


I don't think you can get [None] currently, can you? None is the default
default for get(), but I don't think that's a problem.



You can't, but you can get it from single_value when the attribute is
empty or assign it to an attribute to make it empty.

I would very much prefer if we avoided None, because it will only create
mess and possibly some hard to catch errors.



The problem is that unset is a valid value here, and None is the 
Python representation for that. If it has to make single_value 
ambiguous, I'd be fine with that -- single_value is just a helper.


But, shouldn't single_value[x] raise KeyError if the attribute is missing?
As for setting, there is a difference between
entry.single_value[x] = None
and
del entry[x]
and we should use the correct one for each case.


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0229] dsinstance: Detect dynamic plugin support and restart server


On 06/18/2014 05:14 PM, Tomas Babej wrote:

Hi,

With 389-ds-base 1.3.3. comes the dynamic plugin support. We need to
restart the server right after modifying the schema, as the plugins
will be enabled at the point they are added (and not at the next
server restart).

Properly handle both situations in the installer.

https://fedorahosted.org/freeipa/ticket/4203


Installation succeeded with normal DS, but with a build with dynamic 
plugins, the DS didn't start and installation failed.



There were some plugin-related failures in the DS error log:

[26/Jun/2014:10:11:41 +0200] ipapwd_start - [file ipa_pwd_extop.c, line 
1243]: No config Entry extop?
[26/Jun/2014:10:11:41 +0200] ipapwd_post_modadd - [file prepost.c, line 
1019]: Internal error, couldn't find pluginextension ?!
[26/Jun/2014:10:11:41 +0200] ipapwd_post_modadd - [file prepost.c, line 
1019]: Internal error, couldn't find pluginextension ?!
[26/Jun/2014:10:13:15 +0200] ipa_winsync_config - [file 
ipa-winsync-config.c, line 115]: Error: IPA WinSync plug-in already 
configured.  Please remove the plugin config entry 
[cn=ipa-winsync,cn=plugins,cn=config]
[26/Jun/2014:10:13:15 +0200] ipa_winsync_plugin_start - [file 
ipa-winsync.c, line 651]: configuration failed (Bad parameter to an ldap 
routine)
[26/Jun/2014:10:13:15 +0200] - Failed to start preoperation plugin 
ipa-winsync
[26/Jun/2014:10:13:15 +0200] - plugin_restart: Plugin 
(cn=ipa-winsync,cn=plugins,cn=config) failed to restart after 
configuration change (Failed to start plugin ipa-winsync.  See errors 
log.).  Reverting to original plugin entry.
[26/Jun/2014:10:13:16 +0200] ipa_winsync_config - [file 
ipa-winsync-config.c, line 115]: Error: IPA WinSync plug-in already 
configured.  Please remove the plugin config entry 
[cn=ipa-winsync,cn=plugins,cn=config]
[26/Jun/2014:10:13:16 +0200] ipa_winsync_plugin_start - [file 
ipa-winsync.c, line 651]: configuration failed (Bad parameter to an ldap 
routine)
[26/Jun/2014:10:13:16 +0200] - Failed to start preoperation plugin 
ipa-winsync
[26/Jun/2014:10:13:16 +0200] dse_post_modify_plugin - The configuration 
change for plugin (cn=ipa-winsync,cn=plugins,cn=config) could not be 
applied dynamically, and will be ignored until the server is restarted.


...

[26/Jun/2014:10:14:30 +0200] memberof-plugin - Memberof task starts 
(arg: (objectclass=*)) ...
[26/Jun/2014:10:14:30 +0200] memberof-plugin - Memberof task starts 
(arg: (objectclass=*)) ...
[26/Jun/2014:10:14:31 +0200] memberof-plugin - Memberof task finished 
(arg: (objectclass=*)) ...
[26/Jun/2014:10:14:32 +0200] memberof-plugin - Memberof task finished 
(arg: (objectclass=*)) ...
[26/Jun/2014:10:14:40 +0200] NSACLPlugin - The ACL target 
cn=dns,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com does not exist
[26/Jun/2014:10:14:40 +0200] NSACLPlugin - The ACL target 
cn=dns,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com does not exist
[26/Jun/2014:10:15:19 +0200] - Entry cn=adtrust 
agents,cn=sysaccounts,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com 
-- attribute memberOf not allowed
[26/Jun/2014:10:15:19 +0200] memberof-plugin - memberof_postop_add: 
failed to add dn(cn=System: Read system trust 
accounts,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com), 
error (-1)



If you want I can give access to the VM.



For the record, here's how to build 389-ds with the plugins enabled.

1.) Build dependencies  source:

yum install 389-ds-base* libicu* icu* bzip* net-snmp net-snmp-devel
pcre* pam* mod-nss gdb gcc* perl-Archive-Tar -y --skip-broken

git clone git://git.fedorahosted.org/git/389/ds.git
cd ds

2.) Apply this diff:

diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
index 85662a3..f4b32c7 100644
--- a/ldap/ldif/template-dse.ldif.in
+++ b/ldap/ldif/template-dse.ldif.in
@@ -58,7 +58,7 @@ nsslapd-maxdescriptors: 1024
 nsslapd-max-filter-nest-level: 40
 nsslapd-ndn-cache-enabled: on
 nsslapd-sasl-mapping-fallback: off
-nsslapd-dynamic-plugins: off
+nsslapd-dynamic-plugins: on
 nsslapd-allow-hashed-passwords: off

 dn: cn=features,cn=config
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index e890aed..e13c468 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -1567,7 +1567,7 @@ FrontendConfig_init () {
   init_plugin_logging = cfg-plugin_logging = LDAP_OFF;
   init_listen_backlog_size = cfg-listen_backlog_size = 
DAEMON_LISTEN_SIZE;

   init_ignore_time_skew = cfg-ignore_time_skew = LDAP_OFF;
-  init_dynamic_plugins = cfg-dynamic_plugins = LDAP_OFF;
+  init_dynamic_plugins = cfg-dynamic_plugins = LDAP_ON;
   init_cn_uses_dn_syntax_in_dns = cfg-cn_uses_dn_syntax_in_dns = 
LDAP_OFF;

 #if defined(LINUX)
   init_malloc_mxfast = cfg-malloc_mxfast = DEFAULT_MALLOC_UNSET;

3.) Build
make -j1 -f rpm.mk rpms




--
Petr³


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0236] ipaldap: Fallback to string if datetime conversion went wrong


On 26.6.2014 09:40, Petr Viktorin wrote:

On 06/26/2014 09:33 AM, Jan Cholasta wrote:

On 26.6.2014 09:21, Petr Viktorin wrote:

On 06/26/2014 08:30 AM, Jan Cholasta wrote:

On 25.6.2014 18:25, Petr Viktorin wrote:

On 06/25/2014 05:29 PM, Jan Cholasta wrote:

Hi,

On 25.6.2014 17:17, Tomas Babej wrote:

Hi,

Our datetime conversion does not support full LDAP Generalized
time syntax. In the unsupported cases, we should fall back
to string representation of the attribute.

In particular, '0' is used to denote no value of LDAP generalized
time attribute.

https://fedorahosted.org/freeipa/ticket/4350


NACK, this beats the purpose of decoding of the values, because it
requires you to check the type of the value before using it.

Instead, you should either fix the code that uses the
nsds5ReplicaLastUpdate{Start,End} attributes to access their raw
value
directly, or exclude the attributes from decoding to datetime by
overriding their type in IPASimpleLDAPObject._SYNTAX_OVERRIDE.

Honza



I agree that just returning a string when conversion fails is the
wrong
thing to do.

I think that if LDAP generalized can contain the empty/invalid
value, we
should convert the '0' to what Python uses for that -- None.



But None already means empty attribute.


I don't think you can get [None] currently, can you? None is the default
default for get(), but I don't think that's a problem.



You can't, but you can get it from single_value when the attribute is
empty or assign it to an attribute to make it empty.

I would very much prefer if we avoided None, because it will only create
mess and possibly some hard to catch errors.



The problem is that unset is a valid value here,


It is not, according to Generalized Time syntax (RFC 4517 section 
3.3.13) 0 is an invalid value and we should treat it the same way as 
any other invalid value (hence my original suggestion).



and None is the
Python representation for that. If it has to make single_value
ambiguous, I'd be fine with that -- single_value is just a helper.

But, shouldn't single_value[x] raise KeyError if the attribute is missing?


It does. When attribute is empty/None, it is unset, not missing. There 
is old code which depends on this.



As for setting, there is a difference between
 entry.single_value[x] = None
and
 del entry[x]
and we should use the correct one for each case.




Yes, but until the old code is fixed, None has a special meaning and 
can't be used for anything else.


--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Design Review Keytab Retrieval

On 06/26/2014 04:29 AM, Nathaniel McCallum wrote:
 On Mon, 2014-06-23 at 17:24 -0400, Nathaniel McCallum wrote:
 On Mon, 2014-06-23 at 14:35 -0400, Simo Sorce wrote:
 - Original Message -
 - Original Message -
 Can you check if ipaProtectedOperation is in the aci attribute in the
 base tree object ?
 It should be there as excluded, and that should cause admin to not be
 able to retrieve keytabs.

 It was not. While running ipa-ldap-updater I got the following:
 InvalidSyntax: ACL Syntax Error(-5):(targetattr=
 \22ipaProtectedOperation;write_keys\22)(version 3.0; acl \22Admins are
 allowed to rekey any entity\22; allow(write) groupdn =
 \22ldap:///cn=admins: Invalid syntax.

 Uhmm I do not see anything obviously wrong with ACI instruction, it looks
 just like the one I replace, Ideas ?
 Do you have ipaProtectedOperation in the schema ?

 (I rebased patch 3 but will wait to send a patchset until we understand 
 (and
 fix) why this is failing to update.

 Ok, apparently it was a quoting issue in the .update files, hopefully that's
 the only issue (I am at a conference today and do not have my test env. 
 handy).

 The attached patches are rebased on the latest master.

 0001: Line 555 has very wrong indentation.

 I don't see anything else wrong in the other patches. I've tested
 everything and it works as designed.

 I have CC'd everyone who was involved with review at any point on these
 patches. This serves as my public notice that I'd like to ACK the next
 round of patches. If anyone has anything else to add, please do it
 before tomorrow evening. Thanks!

 Nathaniel
 
 ACK
 
 Nathaniel

Pushed all 6 patches to master. Thanks for careful review!

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0236] ipaldap: Fallback to string if datetime conversion went wrong


On 06/26/2014 10:33 AM, Jan Cholasta wrote:

On 26.6.2014 09:40, Petr Viktorin wrote:

On 06/26/2014 09:33 AM, Jan Cholasta wrote:

On 26.6.2014 09:21, Petr Viktorin wrote:

On 06/26/2014 08:30 AM, Jan Cholasta wrote:

On 25.6.2014 18:25, Petr Viktorin wrote:

On 06/25/2014 05:29 PM, Jan Cholasta wrote:

Hi,

On 25.6.2014 17:17, Tomas Babej wrote:

Hi,

Our datetime conversion does not support full LDAP Generalized
time syntax. In the unsupported cases, we should fall back
to string representation of the attribute.

In particular, '0' is used to denote no value of LDAP generalized
time attribute.

https://fedorahosted.org/freeipa/ticket/4350


NACK, this beats the purpose of decoding of the values, because it
requires you to check the type of the value before using it.

Instead, you should either fix the code that uses the
nsds5ReplicaLastUpdate{Start,End} attributes to access their raw
value
directly, or exclude the attributes from decoding to datetime by
overriding their type in IPASimpleLDAPObject._SYNTAX_OVERRIDE.

Honza


[...]


The problem is that unset is a valid value here,


It is not, according to Generalized Time syntax (RFC 4517 section
3.3.13) 0 is an invalid value and we should treat it the same way as
any other invalid value (hence my original suggestion).


OK, in that case ignore what I said here.

So am I correct that 389-ds storing a value that doesn't comply with the 
attribute's syntax?  Should we file a DS bug?


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] FYI: Cert for https://www.freeipa.org/ is invalid

On 06/26/2014 07:28 AM, James wrote:
 I think it's kind of funny that the cert for: https://www.freeipa.org/
 is invalid, particularly since this is a security product.
 
 In any case, feel free to forward to whoever maintains this in case
 someone thinks it matters.
 
 Cheers,
 James

You are of course right. Given that OpenShift (where the wiki is running) now
supports certificates for aliases, it is possible to configure the certificate.

I have started the machinery, stay tuned.

Thanks,
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0236] ipaldap: Fallback to string if datetime conversion went wrong


On 26.6.2014 10:39, Petr Viktorin wrote:

On 06/26/2014 10:33 AM, Jan Cholasta wrote:

On 26.6.2014 09:40, Petr Viktorin wrote:

On 06/26/2014 09:33 AM, Jan Cholasta wrote:

On 26.6.2014 09:21, Petr Viktorin wrote:

On 06/26/2014 08:30 AM, Jan Cholasta wrote:

On 25.6.2014 18:25, Petr Viktorin wrote:

On 06/25/2014 05:29 PM, Jan Cholasta wrote:

Hi,

On 25.6.2014 17:17, Tomas Babej wrote:

Hi,

Our datetime conversion does not support full LDAP Generalized
time syntax. In the unsupported cases, we should fall back
to string representation of the attribute.

In particular, '0' is used to denote no value of LDAP generalized
time attribute.

https://fedorahosted.org/freeipa/ticket/4350


NACK, this beats the purpose of decoding of the values, because it
requires you to check the type of the value before using it.

Instead, you should either fix the code that uses the
nsds5ReplicaLastUpdate{Start,End} attributes to access their raw
value
directly, or exclude the attributes from decoding to datetime by
overriding their type in IPASimpleLDAPObject._SYNTAX_OVERRIDE.

Honza


[...]


The problem is that unset is a valid value here,


It is not, according to Generalized Time syntax (RFC 4517 section
3.3.13) 0 is an invalid value and we should treat it the same way as
any other invalid value (hence my original suggestion).


OK, in that case ignore what I said here.

So am I correct that 389-ds storing a value that doesn't comply with the
attribute's syntax?  Should we file a DS bug?



AFAIK syntax checks are done only on LDAP adds and mods, so unless we 
are setting 0 somewhere and DS does not complain, it is not a bug.


--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [Freeipa-interest] Announcing bind-dyndb-ldap version 5.0

2014-06-26 Thread Petr Spacek


The FreeIPA team is proud to announce bind-dyndb-ldap version 5.0.

It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/

The new version has also been built for Fedora 20 and and is on its way to 
updates-testing:

https://admin.fedoraproject.org/updates/bind-dyndb-ldap-5.0-1.fc20

Release to Fedora 'updates' repo will be coordinated with FreeIPA 4.0 release 
to prevent breakages.


== Changes in 5.0 ==
[1] Support for DNSSEC in-line signing was added. Now any LDAP zone can be
signed with keys provided by user.

[2] DNSKEY, RRSIG, NSEC and NSEC3 records are automatically managed
by BIND+bind-dyndb-ldap. Respective attributes in LDAP are ignored.

[3] Forwarder semantic was changed to match BIND's semantics:
- idnsZone object always represents master zone
- idnsForwardZone object (new) always represents forward zone

[4] Master root zone can be stored in LDAP.


== Upgrading ==
A server can be upgraded by installing updated RPM. BIND has to be restarted 
manually after the RPM installation.


!!! CAUTION !!!
idnsZone object class changed it's semantics. Please read
https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/plain/README
and update idnsForwarders and idnsForward policy attributes in your DNS zones 
accordingly.


Transition from idnsZone to idnsForwardZone object class can be made seamless 
if you change data in LDAP before you upgrade to version 5.x. All 
bind-dyndb-ldap versions = 3.0 support the idnsForwardZone object class.



Users of FreeIPA  4.0 should be careful when upgrading bind-dyndb-ldap to 
version = 5.0 (if they do not upgrade to FreeIPA 4.x at the same time).


Configuration semantics related to conditional (per-zone) forwarding has 
changed and FreeIPA  4.0 doesn't have appropriate user interface and API.


It is safe to upgrade if you use *only* global forwarders (shown by 'ipa 
dnsconfig-show') and *do not* use per-zone forwarders (shown by 'ipa 
dnszone-show').


Don't hesitate to ask freeipa-users mailing list if you need help with upgrade.
!!! CAUTION !!!

Downgrading back to any 4.x version is supported.


== Feedback ==
Please provide comments, report bugs and send any other feedback via the 
freeipa-users mailing list:

http://www.redhat.com/mailman/listinfo/freeipa-users

--
Petr Spacek  @  Red Hat

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 302 Do not corrupt sshd_config in client install when trailing newline is missing

On 06/18/2014 03:56 PM, Jan Cholasta wrote:
 Hi,
 
 the attached patch fixes https://fedorahosted.org/freeipa/ticket/4373.
 
 Honza

Works fine, tested with
# perl -i -pe 'chomp if eof' /etc/ssh/sshd_config
trick.

ACK, pushed to master.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 676 rpcserver: fix local vs utc time comparison


On 25.6.2014 17:36, Jan Cholasta wrote:

Hi,

On 24.6.2014 16:02, Petr Vobornik wrote:

login_password did not work properly in timezones other than +0h because
local time was compared with utc time.


ACK.


pushed to master:
1c94edd3a09711d85ba099bd815c0bdd8f0210c1 rpcserver: fix local vs utc 
time comparison






Bug introduced in:
https://fedorahosted.org/freeipa/ticket/4339

We should review other code for invalid usage of datetime.now()


All other uses of datetime.now() predate LDAP datetime decoding, so I
think we are fine.

Honza


--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 302 Do not corrupt sshd_config in client install when trailing newline is missing


On 06/26/2014 12:18 PM, Martin Kosek wrote:

On 06/18/2014 03:56 PM, Jan Cholasta wrote:

Hi,

the attached patch fixes https://fedorahosted.org/freeipa/ticket/4373.

Honza


Works fine, tested with
# perl -i -pe 'chomp if eof' /etc/ssh/sshd_config
trick.

ACK, pushed to master.

Martin



It would be really nice to have some tests for this function.

--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 659-666 Support of password reset with OTP


On 25.6.2014 19:41, Endi Sukma Dewata wrote:

On 6/20/2014 10:18 AM, Petr Vobornik wrote:

On 11.6.2014 15:19, Petr Vobornik wrote:

Patch set contains both API/server and Web UI parts.

[PATCH] 659 ldap2: add otp support to modify_password
[PATCH] 660 rpcserver: add otp support to change_password handler
[PATCH] 661 ipa-passwd: add OTP support
[PATCH] 662 webui: support password change with OTP in login screen
[PATCH] 663 webui: placeholder attribute support in textbox and textarea
[PATCH] 664 webui: add placeholders to login screen
[PATCH] 665 webui: rebase user password dialog on password dialog and
add otp support
[PATCH] 666 webui: support otp in reset_password.html

https://fedorahosted.org/freeipa/ticket/4262


attaching rebased patches (mainly because of VERSION conflict)


ACK. Possible improvements (some of which are already discussed on IRC):


pushed to master:
* 7fca783ec554e525465221af13e17f419769c760 ldap2: add otp support to 
modify_password
* 896920ed12a4601a60ac6a7e6f4f13d9ca48df77 rpcserver: add otp support to 
change_password handler

* 2df654223259ca336843f37a229838e125c874d6 ipa-passwd: add OTP support
* f9adc5a5f3ed84ae23c4261f7316ad2e84952d68 webui: support password 
change with OTP in login screen
* 6e7d4ad468854cce8a9a76f3abf8268e3813ff93 webui: placeholder attribute 
support in textbox and textarea
* e3de46767683c5050377cc5e683cd6e3d28ea4e9 webui: add placeholders to 
login screen
* 870db2f677dff01750aeec104c90fce3ca0e54be webui: rebase user password 
dialog on password dialog and add otp support
* 70c77e6a3cfe1a4fbfb5f053a4d47dd2e47d8b3b webui: support otp in 
reset_password.html



I've shamelessly copied all 13 items into new trac ticket 
https://fedorahosted.org/freeipa/ticket/4402 to track these possible 
improvements. We can create separate tickets for issues 8,9,11,12,13 if 
needed.




1. The clock interval field in the Add OTP Token dialog could be
disabled for HOTP.

2. The clock interval and counter fields (and probably some other
fields too) in the OTP Token details page could be hidden depending on
the token type.

3. The Add OTP Token dialog could provide more descriptive token types:
time-based or counter-based token instead of just TOTP or HOTP.

4. The OTP Token details page could show the token type (I suppose the
model may not be descriptive enough).

5. It would be nice to have a link/button to add OTP Token from the user
details page with the owner already set to the user.

6. The clock interval should have a unit of measurements (i.e. seconds).

7. When logging in with an expired password, the user will be asked to
reset a password and enter an OTP. Although OTP means one-time password,
some users could be confusing it with the OTP he/she just entered in the
previous page. It would be nicer to say New OTP or add an explanation
Wait for a new OTP to make sure the user enters a new OTP.

8. In the User authentication types field it might be better to say
password + OTP instead of just otp. The checkbox value can remain
otp.

9. The User authentication types is a bit confusing because if none
are selected it doesn't mean that no authentication is allowed, but it
means it's unset and it will use the global setting. The UI probably
should provide a separate radio button to select Use global setting or
show the effective setting next to it.

10. The Default user authentication types in the global setting is a
bit confusing because by default nothing is selected but the actual
default is supposedly not empty.

11. Ideally the password reset page/dialog should indicate whether the
old password and the OTP are required based on the actual authentication
type available to the user.

12. Ideally there should be a way to display the QR code of an existing
OTP token.

13. The UI could also provide a link to download the OTP app or a list
of supported apps.


--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command


On Wed, 25 Jun 2014, Nathaniel McCallum wrote:

On Wed, 2014-06-25 at 09:53 -0400, Nathaniel McCallum wrote:

On Wed, 2014-06-25 at 13:35 +0300, Alexander Bokovoy wrote:
 On Mon, 23 Jun 2014, Nathaniel McCallum wrote:
 On Mon, 2014-06-23 at 10:29 +0300, Alexander Bokovoy wrote:
  On Fri, 20 Jun 2014, Nathaniel McCallum wrote:
  On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote:
   This command behaves almost exactly like otptoken-add except:
   1. The new token data is written directly to a YubiKey
   2. The vendor/model/serial fields are populated from the YubiKey
  
   === NOTE ===
   1. This patch depends on the new Fedora package: python-yubico. If you
   would like to help with the package review, please assign yourself here:
   https://bugzilla.redhat.com/show_bug.cgi?id=334
  
  New version of the patch. This one works (yay!).
  
  1. Because of the dependency on python-yubico, is this feature something
  we want in core FreeIPA? As a subpackage? Separate project altogether?
  The only dependency for python-yubico is pyusb.
  I'd prefer to have it integrated but have a separate dummy subpackage
  that pulls in all required dependencies, like, freeipa-tools-yubico. 
Instead
  of failing when 'ipa otptoken-add-yubikey' is called, please wrap the
  python-yubico import into a code that allows reporting a message back to
  the user advising to install the package.
 
  Who is a supposed user for this command? IPA command line interface isn't
  usually available on enrolled machines even though underlying Python
  modules are all there. Are we talking about admins or just users?
 
 As discussed on IRC, we are currently hard-coding lots of optional
 dependencies. And breaking this apart into subpackages can be solved at
 a later point. YubiKey is also a unique case: we don't expect to be
 adding many more plugins like this.
 
 For these reasons, I have kept this as a hard dependency. To ease this
 transition, I have added python-yubico to F20 and EL6. You can help with
 the update review here:
 https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.fc20
 https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.el6
 
  3. This code currently emits a warning from the call to otptoken-add:
  WARNING: API Version number was not sent, forward compatibility not
  guaranteed. Assuming server's API version, 2.89
  
  How do I fix this?
  Do not filter 'version' field in options in execute().
 
 I opted to not filter out version rather than hard-code it (pviktori's
 suggestion). This is based on the fact that otptoken-add-yubikey is
 tightly integrated with otptoken-add (even using some of the class
 attributes from otptoken).
 
  4. I am not sure why I have to delete the summary and value keys from
  the return dictionary. It would be nice to display this summary message
  just like otptoken-add.
 
 I still need help on this.
 
  5. Am I doing the ipatoken(vendor|model|serial) options correctly? These
  aren't user settable, but we need to pass them from the yubikey
  (client-side) to the server.
 
 This is no longer needed since I am doing everything in forward().
 However, listing these three as output params causes them to appear
 before the token's ID. I don't think this is the right way to output
 these. But this seems to me a framework issue.
 
  6. I'm not sure my use of assert or ValueError are correct. What should
  I do here?
 
 Still need help here.
 Fixed this part.

 
  7. Considering that this is just a specialized invocation of
  otptoken-add, can't we do this all on the client-side? This is why I had
  originally used frontend.Local rather than frontend.Command.
  You don't need to implement execute then, only forward, where you'll
  forward your call to the server under otptoken_add name.
 
  Typically in #forward we call super's forward but that is because we
  in Command.forward() we  simply forward the command to the remote backend,
   using the self.name. In your case we shouldn't really have a separate
  command on the server under the same name, so you'll need to avoid
  calling
 
  So, it should look like this:
 
  def forward(self, *args, **kw):
  perform yubikey initialization
  filter out kw and args, if needed
  return self.Backend.rpcclient.forward('otptoken_add', *args, **kw)
 
  See service_show implementation for an example.
 
 Fixed.
 I'm attaching few fixups to the patch that make it proper reporting for
 non-Yubikey case and also properly update VERSION.

 Provisional ACK.

Merged.


This patch includes everything above and fixes the missing ./makeapi
run.

ACK. Please do not commit it yet as there is a specific order in which all
these patches should be committed.

--
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0055] Add /session/token_sync POST support


On Wed, 25 Jun 2014, Nathaniel McCallum wrote:

On Wed, 2014-06-25 at 13:21 +0300, Alexander Bokovoy wrote:

On Tue, 24 Jun 2014, Nathaniel McCallum wrote:
On Mon, 2014-06-02 at 23:07 -0400, Nathaniel McCallum wrote:
 This HTTP call takes the following parameters:
  * user
  * password
  * first_code
  * second_code
  * token (optional)

 Using this information, the server will perform token synchronization.
 If the token is not specified, all tokens will be searched for
 synchronization.
 Otherwise, only the token specified will be searched.

 This patch depends on my patch #0054.

Attached is a new revision. This version should force an update
to /etc/httpd/conf.d/ipa.conf on update. It is also rebased on master.
ACK with condition that you apply attached fixups.

Since token that is passed by 'ipa otptoken-sync' command is not a full
DN, we need to support both cases, when DN and just a name is passed.
Attached patch fixes this.


Applied.

ACK. This should be committed first one.


--
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command


On Wed, 25 Jun 2014, Nathaniel McCallum wrote:

On Wed, 2014-06-25 at 13:18 +0300, Alexander Bokovoy wrote:

On Tue, 24 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-03 at 09:18 -0400, Nathaniel McCallum wrote:
 On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
  On 3.6.2014 05:08, Nathaniel McCallum wrote:
   This command calls the token sync HTTP POST call in the server providing
   the CLI interface to synchronization.
  
   https://fedorahosted.org/freeipa/ticket/4260
  
   This patch depends on my patch #0055.
  
 
  Build fails on validation. You forgot to update API.txt and also the
  command misses __doc__.
 
  (not a proper review)

 Thanks, fixed.

Attached is a new revision which is rebased on master.

In addition it:

1. Moves user to a parameter and moves token to an argument. Doing it
this way both mirrors the existing otptoken APIs and sets us up for
future Kerberos based syncing where the username/password will be
optional.

2. Converts the token ID to a DN.
ACK.

Please do not commit this patch yet, we are not done with its
dependencies.


As discussed off list, we also needed to verify the certificate so that
passwords were not sent in the clear to a MITM. This has now been
implemented. VERSION is bumped and ./makeapi was run. This patch is also
rebased on top of my patch 0058 (which is already ACK'd), so 0058 needs
to be merged before this patch (0056).

Right. There is one small fix that need to be squashed prior to
committing as pylint cannot get insights into function states.

The patch attached. With it, ACK.

--
/ Alexander Bokovoy
From b1e75c884fd5303dce038e4f3dc6158d93785671 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Thu, 26 Jun 2014 13:16:47 +0300
Subject: [PATCH 4/4] fixup! Add otptoken-sync command

---
 ipalib/plugins/otptoken.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index 46ad77a..7b9e256 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -394,7 +394,7 @@ class otptoken_remove_managedby(LDAPRemoveMember):
 class HTTPSConnection(httplib.HTTPConnection):
 Generates an SSL HTTP connection that performs hostname validation.
 
-ssl_kwargs = 
ssl.wrap_socket.func_code.co_varnames[1:ssl.wrap_socket.func_code.co_argcount]
+ssl_kwargs = 
ssl.wrap_socket.func_code.co_varnames[1:ssl.wrap_socket.func_code.co_argcount] 
#pylint: disable=E1101
 default_port = httplib.HTTPS_PORT
 
 def __init__(self, host, **kwargs):
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 302 Do not corrupt sshd_config in client install when trailing newline is missing


On 26.6.2014 12:43, Petr Viktorin wrote:

On 06/26/2014 12:18 PM, Martin Kosek wrote:

On 06/18/2014 03:56 PM, Jan Cholasta wrote:

Hi,

the attached patch fixes https://fedorahosted.org/freeipa/ticket/4373.

Honza


Works fine, tested with
# perl -i -pe 'chomp if eof' /etc/ssh/sshd_config
trick.

ACK, pushed to master.

Martin



It would be really nice to have some tests for this function.



It would be even nicer to use Augeas to handle this.

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0078-0079] DNSEC: Add TLSA record


On 25.6.2014 14:35, Martin Basti wrote:

On Wed, 2014-06-25 at 14:31 +0200, Martin Basti wrote:

Ticket https://fedorahosted.org/freeipa/ticket/4328#comment:12
Patches attached.

Note: ACI will be updated in another patch which fix ACIs in DNS plugin


Patches are here

What are patch 0078's dependencies? I'm missing necessary blobs.. 
(current master). Also it requires rebase because of today's pushes to 
master (VERSION conflict).

--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Design Review Keytab Retrieval

On Thu, 26 Jun 2014, Martin Kosek wrote:

On 06/26/2014 04:29 AM, Nathaniel McCallum wrote:

On Mon, 2014-06-23 at 17:24 -0400, Nathaniel McCallum wrote:

On Mon, 2014-06-23 at 14:35 -0400, Simo Sorce wrote:

- Original Message -

Can you check if ipaProtectedOperation is in the aci attribute in the
base tree object ?
It should be there as excluded, and that should cause admin to not be
able to retrieve keytabs.

It was not. While running ipa-ldap-updater I got the following:
InvalidSyntax: ACL Syntax Error(-5):(targetattr=
\22ipaProtectedOperation;write_keys\22)(version 3.0; acl \22Admins are
allowed to rekey any entity\22; allow(write) groupdn =
\22ldap:///cn=admins: Invalid syntax.

Uhmm I do not see anything obviously wrong with ACI instruction, it looks
just like the one I replace, Ideas ?
Do you have ipaProtectedOperation in the schema ?

(I rebased patch 3 but will wait to send a patchset until we understand (and
fix) why this is failing to update.

Ok, apparently it was a quoting issue in the .update files, hopefully that's
the only issue (I am at a conference today and do not have my test env. handy).

The attached patches are rebased on the latest master.

0001: Line 555 has very wrong indentation.

I don't see anything else wrong in the other patches. I've tested
everything and it works as designed.

I have CC'd everyone who was involved with review at any point on these
patches. This serves as my public notice that I'd like to ACK the next
round of patches. If anyone has anything else to add, please do it
before tomorrow evening. Thanks!

Nathaniel

ACK

Nathaniel

Pushed all 6 patches to master. Thanks for careful review!

Unfortunately, at least enctype marshalling is wrong with these patches.
Samba does not work anymore with the keytab fetched in new version.

We see following in the keytab:
Keytab name: FILE:/etc/samba/samba.keytab
KVNO Timestamp Principal
-
1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 274)
1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 273)
1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 272)
1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 279)

Note that etype is unresolvable. In the build without these patches we
get something like
1 06/23/2014 16:28:59 cifs/vm-139.dom139.tbad.idm.lab.eng.brq.redhat@dom139.tbad.idm.lab.eng.brq.redhat.com (aes256-cts-hmac-sha1-96)

So this patchset needs an improvement before release.
--
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Design Review Keytab Retrieval

2014-06-26 Thread Tomas Babej


On 06/26/2014 02:33 PM, Alexander Bokovoy wrote:
 On Thu, 26 Jun 2014, Martin Kosek wrote:
 On 06/26/2014 04:29 AM, Nathaniel McCallum wrote:
 On Mon, 2014-06-23 at 17:24 -0400, Nathaniel McCallum wrote:
 On Mon, 2014-06-23 at 14:35 -0400, Simo Sorce wrote:
 - Original Message -
 - Original Message -
 Can you check if ipaProtectedOperation is in the aci attribute
 in the
 base tree object ?
 It should be there as excluded, and that should cause admin to
 not be
 able to retrieve keytabs.

 It was not. While running ipa-ldap-updater I got the following:
 InvalidSyntax: ACL Syntax Error(-5):(targetattr=
 \22ipaProtectedOperation;write_keys\22)(version 3.0; acl
 \22Admins are
 allowed to rekey any entity\22; allow(write) groupdn =
 \22ldap:///cn=admins: Invalid syntax.

 Uhmm I do not see anything obviously wrong with ACI instruction,
 it looks
 just like the one I replace, Ideas ?
 Do you have ipaProtectedOperation in the schema ?

 (I rebased patch 3 but will wait to send a patchset until we
 understand (and
 fix) why this is failing to update.

 Ok, apparently it was a quoting issue in the .update files,
 hopefully that's
 the only issue (I am at a conference today and do not have my test
 env. handy).

 The attached patches are rebased on the latest master.

 0001: Line 555 has very wrong indentation.

 I don't see anything else wrong in the other patches. I've tested
 everything and it works as designed.

 I have CC'd everyone who was involved with review at any point on
 these
 patches. This serves as my public notice that I'd like to ACK the next
 round of patches. If anyone has anything else to add, please do it
 before tomorrow evening. Thanks!

 Nathaniel

 ACK

 Nathaniel

 Pushed all 6 patches to master. Thanks for careful review!

 Unfortunately, at least enctype marshalling is wrong with these patches.
 Samba does not work anymore with the keytab fetched in new version.

 We see following in the keytab:
 Keytab name: FILE:/etc/samba/samba.keytab
 KVNO Timestamp   Principal
 
 -
 1 06/26/2014 13:03:01
 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com
 (etype 274) 1 06/26/2014 13:03:01
 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com
 (etype 273) 1 06/26/2014 13:03:01
 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com
 (etype 272) 1 06/26/2014 13:03:01
 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com
 (etype 279)
 Note that etype is unresolvable. In the build without these patches we
 get something like
   1 06/23/2014 16:28:59
 cifs/vm-139.dom139.tbad.idm.lab.eng.brq.redhat@dom139.tbad.idm.lab.eng.brq.redhat.com
 (aes256-cts-hmac-sha1-96)
 So this patchset needs an improvement before release.

FYI: I filed https://fedorahosted.org/freeipa/ticket/4404 , setting up
this as blocker.

-- 
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate


On 16.6.2014 15:35, Jan Cholasta wrote:

Hi,

the attached patches implement
https://fedorahosted.org/freeipa/ticket/3737.

My patches 241-253 and 262-294 are required for this
(http://www.redhat.com/archives/freeipa-devel/2014-June/msg00276.html,
http://www.redhat.com/archives/freeipa-devel/2014-June/msg00307.html).

The installation/testing guidelines from
http://www.redhat.com/archives/freeipa-devel/2014-March/msg00385.html
apply here as well.

Honza


Rebased on top of current master.

--
Jan Cholasta
From 6d234a5f8756876a980a7a0c15fca64fe0a6a975 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Fri, 13 Jun 2014 14:44:03 +0200
Subject: [PATCH 1/5] Add new NSSDatabase method get_cert for getting certs
 from NSS databases.

Part of https://fedorahosted.org/freeipa/ticket/3737
---
 ipaserver/install/certs.py | 14 +-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 118cf77..37b102c 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -211,9 +211,21 @@ class NSSDatabase(object):
 raise RuntimeError(
 Setting trust on %s failed % root_nickname)
 
+def get_cert(self, nickname, pem=False):
+args = ['-L', '-n', nickname]
+if pem:
+args.append('-a')
+else:
+args.append('-r')
+try:
+cert, err, returncode = self.run_certutil(args)
+except ipautil.CalledProcessError:
+raise RuntimeError(Failed to get %s % nickname)
+return cert
+
 def export_pem_cert(self, nickname, location):
 Export the given cert to PEM file in the given location
-cert, err, returncode = self.run_certutil([-L, -n, nickname, -a])
+cert = self.get_cert(nickname)
 with open(location, w+) as fd:
 fd.write(cert)
 os.chmod(location, 0444)
-- 
1.9.0

From f4b9c00871caab73201d12f24a3b158c03742eba Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Fri, 13 Jun 2014 14:45:29 +0200
Subject: [PATCH 2/5] Allow changing chaining of the IPA CA certificate in
 ipa-cacert-manage.

Part of https://fedorahosted.org/freeipa/ticket/3737
---
 install/tools/man/ipa-cacert-manage.1  |  6 +
 ipaserver/install/ipa_cacert_manage.py | 41 +++---
 2 files changed, 39 insertions(+), 8 deletions(-)

diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1
index 92fe717..cf42b24 100644
--- a/install/tools/man/ipa-cacert-manage.1
+++ b/install/tools/man/ipa-cacert-manage.1
@@ -42,6 +42,12 @@ When the IPA CA is not configured, this command is not available.
 \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
 The Directory Manager password to use for authentication.
 .TP
+\fB\-\-self\-signed\fR
+Sign the renewed certificate by itself.
+.TP
+\fB\-\-external\-ca\fR
+Sign the renewed certificate by external CA.
+.TP
 \fB\-\-external\-cert\-file\fR=\fIFILE\fR
 PEM file containing a certificate signed by the external CA. Must be given with \-\-external\-ca\-file.
 .TP
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index f6f3a8b..a0aa355 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -28,7 +28,7 @@ import krbV
 from ipapython import admintool, certmonger, ipautil
 from ipapython.dn import DN
 from ipaplatform.paths import paths
-from ipalib import api, errors, x509, util
+from ipalib import api, errors, x509, certstore
 from ipaserver.install import certs, cainstance, installutils
 from ipaserver.plugins.ldap2 import ldap2
 
@@ -52,6 +52,14 @@ class CACertManage(admintool.AdminTool):
 
 renew_group = OptionGroup(parser, Renew options)
 renew_group.add_option(
+--self-signed, dest='self_signed',
+action='store_true',
+help=Sign the renewed certificate by itself)
+renew_group.add_option(
+--external-ca, dest='self_signed',
+action='store_false',
+help=Sign the renewed certificate by external CA)
+renew_group.add_option(
 --external-cert-file, dest='external_cert_file',
 help=PEM file containing a certificate signed by the external CA)
 renew_group.add_option(
@@ -146,7 +154,12 @@ class CACertManage(admintool.AdminTool):
 if options.external_cert_file:
 return self.renew_external_step_2(ca, cert)
 
-if x509.is_self_signed(cert, x509.DER):
+if options.self_signed is not None:
+self_signed = options.self_signed
+else:
+self_signed = x509.is_self_signed(cert, x509.DER)
+
+if self_signed:
 return self.renew_self_signed(ca)
 else:
 return self.renew_external_step_1(ca)
@@ -179,20 +192,19 @@ class CACertManage(admintool.AdminTool):

Re: [Freeipa-devel] [PATCH 0055] Add /session/token_sync POST support

On 06/26/2014 01:01 PM, Alexander Bokovoy wrote:
 On Wed, 25 Jun 2014, Nathaniel McCallum wrote:
 On Wed, 2014-06-25 at 13:21 +0300, Alexander Bokovoy wrote:
 On Tue, 24 Jun 2014, Nathaniel McCallum wrote:
 On Mon, 2014-06-02 at 23:07 -0400, Nathaniel McCallum wrote:
  This HTTP call takes the following parameters:
   * user
   * password
   * first_code
   * second_code
   * token (optional)
 
  Using this information, the server will perform token synchronization.
  If the token is not specified, all tokens will be searched for
  synchronization.
  Otherwise, only the token specified will be searched.
 
  This patch depends on my patch #0054.
 
 Attached is a new revision. This version should force an update
 to /etc/httpd/conf.d/ipa.conf on update. It is also rebased on master.
 ACK with condition that you apply attached fixups.

 Since token that is passed by 'ipa otptoken-sync' command is not a full
 DN, we need to support both cases, when DN and just a name is passed.
 Attached patch fixes this.

 Applied.
 ACK. This should be committed first one.

Pushed to master.

I just added link to https://fedorahosted.org/freeipa/ticket/4218 to the patch
description.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 691 webui-ci: fix action list action visibility and enablement assertion


Fixes CA-less CI test fail

The new html structure was not addressed properly.
--
Petr Vobornik
From a0e2e83470d1ca2c5f6f286e59588b10eb5f75bc Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Thu, 26 Jun 2014 14:38:05 +0200
Subject: [PATCH] webui-ci: fix action list action visibility and enablement
 assertion

The new html structure was not addressed properly.
---
 ipatests/test_webui/ui_driver.py | 9 +
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
index 3f40efd5a35691508185604349ae208a472000b9..047009a295838d0053c9c0e378e97b480db6a0e7 100644
--- a/ipatests/test_webui/ui_driver.py
+++ b/ipatests/test_webui/ui_driver.py
@@ -1734,16 +1734,17 @@ class UI_driver(object):
 if not parent:
 parent = self.get_form()
 
-s = .facet-actions li[data-name='%s'] a % action
-link = self.find(s, By.CSS_SELECTOR, parent)
+s = .facet-actions li[data-name='%s'] % action
+li = self.find(s, By.CSS_SELECTOR, parent)
+link = self.find(a, By.CSS_SELECTOR, li)
 
-is_visible = link is not None and link.is_displayed()
+is_visible = li is not None and link is not None
 is_enabled = False
 
 assert is_visible == visible, ('Invalid visibility of action item: %s. '
'Expected: %s') % (action, str(visible))
 
 if is_visible:
-is_enabled = not self.has_class(link, 'disabled')
+is_enabled = not self.has_class(li, 'disabled')
 assert is_enabled == enabled, ('Invalid enabled state of action item %s. '
'Expected: %s') % (action, str(visible))
-- 
1.9.0

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command

On 06/26/2014 01:02 PM, Alexander Bokovoy wrote:
 On Wed, 25 Jun 2014, Nathaniel McCallum wrote:
 On Wed, 2014-06-25 at 13:18 +0300, Alexander Bokovoy wrote:
 On Tue, 24 Jun 2014, Nathaniel McCallum wrote:
 On Tue, 2014-06-03 at 09:18 -0400, Nathaniel McCallum wrote:
  On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
   On 3.6.2014 05:08, Nathaniel McCallum wrote:
This command calls the token sync HTTP POST call in the server 
providing
the CLI interface to synchronization.
   
https://fedorahosted.org/freeipa/ticket/4260
   
This patch depends on my patch #0055.
   
  
   Build fails on validation. You forgot to update API.txt and also the
   command misses __doc__.
  
   (not a proper review)
 
  Thanks, fixed.
 
 Attached is a new revision which is rebased on master.
 
 In addition it:
 
 1. Moves user to a parameter and moves token to an argument. Doing it
 this way both mirrors the existing otptoken APIs and sets us up for
 future Kerberos based syncing where the username/password will be
 optional.
 
 2. Converts the token ID to a DN.
 ACK.

 Please do not commit this patch yet, we are not done with its
 dependencies.

 As discussed off list, we also needed to verify the certificate so that
 passwords were not sent in the clear to a MITM. This has now been
 implemented. VERSION is bumped and ./makeapi was run. This patch is also
 rebased on top of my patch 0058 (which is already ACK'd), so 0058 needs
 to be merged before this patch (0056).
 Right. There is one small fix that need to be squashed prior to
 committing as pylint cannot get insights into function states.
 
 The patch attached. With it, ACK.

Fixed VERSION conflict, squashed fixup patch and pushed to master.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command