Re: [Freeipa-devel] FYI: Cert for https://www.freeipa.org/ is invalid
StartSSL has free ssl certs. Very inexpensive wildcard certs ~$50.00. StartCom CA that has been trusted by browsers for years. On Jun 26, 2014 12:29 AM, James purplei...@gmail.com wrote: I think it's kind of funny that the cert for: https://www.freeipa.org/ is invalid, particularly since this is a security product. In any case, feel free to forward to whoever maintains this in case someone thinks it matters. Cheers, James ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FYI: Cert for https://www.freeipa.org/ is invalid
On Thu, 26 Jun 2014, Rob Townley wrote: StartSSL has free ssl certs. Very inexpensive wildcard certs ~$50.00. StartCom CA that has been trusted by browsers for years. We have proper certificate in place. This looks like OpenShift's misconfiguration. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0236] ipaldap: Fallback to string if datetime conversion went wrong
On 25.6.2014 18:25, Petr Viktorin wrote: On 06/25/2014 05:29 PM, Jan Cholasta wrote: Hi, On 25.6.2014 17:17, Tomas Babej wrote: Hi, Our datetime conversion does not support full LDAP Generalized time syntax. In the unsupported cases, we should fall back to string representation of the attribute. In particular, '0' is used to denote no value of LDAP generalized time attribute. https://fedorahosted.org/freeipa/ticket/4350 NACK, this beats the purpose of decoding of the values, because it requires you to check the type of the value before using it. Instead, you should either fix the code that uses the nsds5ReplicaLastUpdate{Start,End} attributes to access their raw value directly, or exclude the attributes from decoding to datetime by overriding their type in IPASimpleLDAPObject._SYNTAX_OVERRIDE. Honza I agree that just returning a string when conversion fails is the wrong thing to do. I think that if LDAP generalized can contain the empty/invalid value, we should convert the '0' to what Python uses for that -- None. But None already means empty attribute. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FYI: Cert for https://www.freeipa.org/ is invalid
On Thu, Jun 26, 2014 at 01:23:44AM -0500, Rob Townley wrote: StartSSL has free ssl certs. Very inexpensive wildcard certs ~$50.00. StartCom CA that has been trusted by browsers for years. I've heard of free (or low-cost) SSL certs for open source software and there should be a company providing SSL certs for domains as a part of the ResetTheNet initiative [1], but right now, I'm unable to find that, so I might have misunderstood some statement. Martin [1] https://www.resetthenet.org/ On Jun 26, 2014 12:29 AM, James purplei...@gmail.com wrote: I think it's kind of funny that the cert for: https://www.freeipa.org/ is invalid, particularly since this is a security product. In any case, feel free to forward to whoever maintains this in case someone thinks it matters. Cheers, James ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel signature.asc Description: Digital signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0236] ipaldap: Fallback to string if datetime conversion went wrong
On 06/26/2014 08:30 AM, Jan Cholasta wrote: On 25.6.2014 18:25, Petr Viktorin wrote: On 06/25/2014 05:29 PM, Jan Cholasta wrote: Hi, On 25.6.2014 17:17, Tomas Babej wrote: Hi, Our datetime conversion does not support full LDAP Generalized time syntax. In the unsupported cases, we should fall back to string representation of the attribute. In particular, '0' is used to denote no value of LDAP generalized time attribute. https://fedorahosted.org/freeipa/ticket/4350 NACK, this beats the purpose of decoding of the values, because it requires you to check the type of the value before using it. Instead, you should either fix the code that uses the nsds5ReplicaLastUpdate{Start,End} attributes to access their raw value directly, or exclude the attributes from decoding to datetime by overriding their type in IPASimpleLDAPObject._SYNTAX_OVERRIDE. Honza I agree that just returning a string when conversion fails is the wrong thing to do. I think that if LDAP generalized can contain the empty/invalid value, we should convert the '0' to what Python uses for that -- None. But None already means empty attribute. I don't think you can get [None] currently, can you? None is the default default for get(), but I don't think that's a problem. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 202-222] Ipaplatform refactoring
On 06/25/2014 09:48 PM, Tomas Babej wrote: On 06/25/2014 09:35 PM, Petr Viktorin wrote: On 06/25/2014 07:16 PM, Tomas Babej wrote: On 06/25/2014 04:59 PM, Tomas Babej wrote: On 06/25/2014 04:13 PM, Tomas Babej wrote: On 06/25/2014 04:01 PM, Tomas Babej wrote: On 06/25/2014 10:48 AM, Petr Viktorin wrote: On 06/19/2014 03:52 PM, Tomas Babej wrote: On 06/19/2014 12:52 PM, Tomas Babej wrote: On 06/18/2014 10:52 AM, Petr Viktorin wrote: On 06/17/2014 02:15 PM, Tomas Babej wrote: On 06/17/2014 12:03 PM, Timo Aaltonen wrote: On 17.06.2014 11:16, Martin Kosek wrote: Attached is a new version of patch 226, and a new patch 228, which moves the paths from installers to the paths module. In patch 226, there's another certificated typo in remove_ca_cert_from_systemwide_ca_store I greped the repository, and I do not see many paths lurking around any more, there are only some in the error messages (as these can't be reliably replaced automatically, and will need some manual love). If you see any forgotten paths, which should be added to the module, let me know. Well, since you asked... install/tools/ipa-upgradeconfig:236: ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' ipaserver/install/cainstance.py:1330: -pki_instance_root=/var/lib, ipaserver/install/dsinstance.py:209:InstallLdifFile= /var/lib/dirsrv/boot.ldif ipaserver/install/dsinstance.py:210:inst_dir= /var/lib/dirsrv/scripts-$SERVERID ipaserver/install/ipa_backup.py:464: '--exclude=/var/lib/ipa/backup', ipatests/test_integration/tasks.py:451: host.run_command(find /var/lib/sss/db -name '*.ldb' | install/tools/ipa-replica-conncheck:403: /usr/sbin/ipa-replica-conncheck + install/tools/ipa-replica-conncheck:414: print_info(/usr/sbin/ipa-replica-conncheck + .join(remote_check_opts)) ipapython/ipautil.py:296:env[PATH] = /bin:/sbin:/usr/kerberos/bin:/usr/kerberos/sbin:/usr/bin:/usr/sbin ipaserver/install/cainstance.py:88:ConfigFile = /usr/share/pki/ca/conf/database.ldif ipaserver/install/bindinstance.py:829: ipautil.run(['/usr/libexec/generate-rndc-key.sh']) /me will think twice about teasing nex time. This are paths requiring manual changes in one way or the other and as such cannot be handled by my tool. Let's not stall the patcheset on this. We can fix these (and surely there are other) as we go along. OK, not a reason to hold the patch back. But, the fact that the tool can't handle them doesn't make them less important. Let's keep the ticket open, or open a new one. I guess it'll be a while before we catch them all, but now it's at least clear where these paths should be, so anyone porting to another distro can send patches (or tickets) upstream. I see another duplicate: SSS_KRB5_INCLUDE_D = /var/lib/sss/pubconf/krb5.include.d SSSD_PUBCONF_KRB5_INCLUDE_D_DIR = /var/lib/sss/pubconf/krb5.include.d/ Could you just pick one instead? Would ipa_backup.py break if it had a trailing slash here? Yes. I verified it produces the same result with or without trailing slash, fixed. In ipa-client-install, if you set: NSSWITCH_CONF = paths.NSSWITCH_CONF then you should only use one of those later. (Preferably paths.*, to get rid of the redundant constants.) Perhaps this is for another patch that would clean up all the cases where these trivial module variables are used. I agree. Fixed this occurence. I've opened an easyfix ticket for the rest: https://fedorahosted.org/freeipa/ticket/4399 Fixed all mentioned issues. I also attached a patch 230, which removes the base Authconfig class. Attaching one additional patch, which removes unnecessary build warnings. 226, 230, 231 look good Attaching whole updated patchset. Attaching one more patch which should fix broken CI tests. Self-NACK - It seems I omitted one occurence of NSSWITCH_CONF in ipa-client-install, fixed now. Attaching the whole patchset for your convenience. -- Attaching a correct patchset this time. I hate to break it to you, but... you sent the wrong patch 228 :( No way! That's a official fail combo on my part. Here's the correct patch. ACK, pushed to master: e5e42fc83ae74f0e0c68e68417a39fe6f2f2ae63 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0236] ipaldap: Fallback to string if datetime conversion went wrong
On 26.6.2014 09:21, Petr Viktorin wrote: On 06/26/2014 08:30 AM, Jan Cholasta wrote: On 25.6.2014 18:25, Petr Viktorin wrote: On 06/25/2014 05:29 PM, Jan Cholasta wrote: Hi, On 25.6.2014 17:17, Tomas Babej wrote: Hi, Our datetime conversion does not support full LDAP Generalized time syntax. In the unsupported cases, we should fall back to string representation of the attribute. In particular, '0' is used to denote no value of LDAP generalized time attribute. https://fedorahosted.org/freeipa/ticket/4350 NACK, this beats the purpose of decoding of the values, because it requires you to check the type of the value before using it. Instead, you should either fix the code that uses the nsds5ReplicaLastUpdate{Start,End} attributes to access their raw value directly, or exclude the attributes from decoding to datetime by overriding their type in IPASimpleLDAPObject._SYNTAX_OVERRIDE. Honza I agree that just returning a string when conversion fails is the wrong thing to do. I think that if LDAP generalized can contain the empty/invalid value, we should convert the '0' to what Python uses for that -- None. But None already means empty attribute. I don't think you can get [None] currently, can you? None is the default default for get(), but I don't think that's a problem. You can't, but you can get it from single_value when the attribute is empty or assign it to an attribute to make it empty. I would very much prefer if we avoided None, because it will only create mess and possibly some hard to catch errors. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0236] ipaldap: Fallback to string if datetime conversion went wrong
On 06/26/2014 09:33 AM, Jan Cholasta wrote: On 26.6.2014 09:21, Petr Viktorin wrote: On 06/26/2014 08:30 AM, Jan Cholasta wrote: On 25.6.2014 18:25, Petr Viktorin wrote: On 06/25/2014 05:29 PM, Jan Cholasta wrote: Hi, On 25.6.2014 17:17, Tomas Babej wrote: Hi, Our datetime conversion does not support full LDAP Generalized time syntax. In the unsupported cases, we should fall back to string representation of the attribute. In particular, '0' is used to denote no value of LDAP generalized time attribute. https://fedorahosted.org/freeipa/ticket/4350 NACK, this beats the purpose of decoding of the values, because it requires you to check the type of the value before using it. Instead, you should either fix the code that uses the nsds5ReplicaLastUpdate{Start,End} attributes to access their raw value directly, or exclude the attributes from decoding to datetime by overriding their type in IPASimpleLDAPObject._SYNTAX_OVERRIDE. Honza I agree that just returning a string when conversion fails is the wrong thing to do. I think that if LDAP generalized can contain the empty/invalid value, we should convert the '0' to what Python uses for that -- None. But None already means empty attribute. I don't think you can get [None] currently, can you? None is the default default for get(), but I don't think that's a problem. You can't, but you can get it from single_value when the attribute is empty or assign it to an attribute to make it empty. I would very much prefer if we avoided None, because it will only create mess and possibly some hard to catch errors. The problem is that unset is a valid value here, and None is the Python representation for that. If it has to make single_value ambiguous, I'd be fine with that -- single_value is just a helper. But, shouldn't single_value[x] raise KeyError if the attribute is missing? As for setting, there is a difference between entry.single_value[x] = None and del entry[x] and we should use the correct one for each case. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0229] dsinstance: Detect dynamic plugin support and restart server
On 06/18/2014 05:14 PM, Tomas Babej wrote: Hi, With 389-ds-base 1.3.3. comes the dynamic plugin support. We need to restart the server right after modifying the schema, as the plugins will be enabled at the point they are added (and not at the next server restart). Properly handle both situations in the installer. https://fedorahosted.org/freeipa/ticket/4203 Installation succeeded with normal DS, but with a build with dynamic plugins, the DS didn't start and installation failed. There were some plugin-related failures in the DS error log: [26/Jun/2014:10:11:41 +0200] ipapwd_start - [file ipa_pwd_extop.c, line 1243]: No config Entry extop? [26/Jun/2014:10:11:41 +0200] ipapwd_post_modadd - [file prepost.c, line 1019]: Internal error, couldn't find pluginextension ?! [26/Jun/2014:10:11:41 +0200] ipapwd_post_modadd - [file prepost.c, line 1019]: Internal error, couldn't find pluginextension ?! [26/Jun/2014:10:13:15 +0200] ipa_winsync_config - [file ipa-winsync-config.c, line 115]: Error: IPA WinSync plug-in already configured. Please remove the plugin config entry [cn=ipa-winsync,cn=plugins,cn=config] [26/Jun/2014:10:13:15 +0200] ipa_winsync_plugin_start - [file ipa-winsync.c, line 651]: configuration failed (Bad parameter to an ldap routine) [26/Jun/2014:10:13:15 +0200] - Failed to start preoperation plugin ipa-winsync [26/Jun/2014:10:13:15 +0200] - plugin_restart: Plugin (cn=ipa-winsync,cn=plugins,cn=config) failed to restart after configuration change (Failed to start plugin ipa-winsync. See errors log.). Reverting to original plugin entry. [26/Jun/2014:10:13:16 +0200] ipa_winsync_config - [file ipa-winsync-config.c, line 115]: Error: IPA WinSync plug-in already configured. Please remove the plugin config entry [cn=ipa-winsync,cn=plugins,cn=config] [26/Jun/2014:10:13:16 +0200] ipa_winsync_plugin_start - [file ipa-winsync.c, line 651]: configuration failed (Bad parameter to an ldap routine) [26/Jun/2014:10:13:16 +0200] - Failed to start preoperation plugin ipa-winsync [26/Jun/2014:10:13:16 +0200] dse_post_modify_plugin - The configuration change for plugin (cn=ipa-winsync,cn=plugins,cn=config) could not be applied dynamically, and will be ignored until the server is restarted. ... [26/Jun/2014:10:14:30 +0200] memberof-plugin - Memberof task starts (arg: (objectclass=*)) ... [26/Jun/2014:10:14:30 +0200] memberof-plugin - Memberof task starts (arg: (objectclass=*)) ... [26/Jun/2014:10:14:31 +0200] memberof-plugin - Memberof task finished (arg: (objectclass=*)) ... [26/Jun/2014:10:14:32 +0200] memberof-plugin - Memberof task finished (arg: (objectclass=*)) ... [26/Jun/2014:10:14:40 +0200] NSACLPlugin - The ACL target cn=dns,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com does not exist [26/Jun/2014:10:14:40 +0200] NSACLPlugin - The ACL target cn=dns,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com does not exist [26/Jun/2014:10:15:19 +0200] - Entry cn=adtrust agents,cn=sysaccounts,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com -- attribute memberOf not allowed [26/Jun/2014:10:15:19 +0200] memberof-plugin - memberof_postop_add: failed to add dn(cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com), error (-1) If you want I can give access to the VM. For the record, here's how to build 389-ds with the plugins enabled. 1.) Build dependencies source: yum install 389-ds-base* libicu* icu* bzip* net-snmp net-snmp-devel pcre* pam* mod-nss gdb gcc* perl-Archive-Tar -y --skip-broken git clone git://git.fedorahosted.org/git/389/ds.git cd ds 2.) Apply this diff: diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in index 85662a3..f4b32c7 100644 --- a/ldap/ldif/template-dse.ldif.in +++ b/ldap/ldif/template-dse.ldif.in @@ -58,7 +58,7 @@ nsslapd-maxdescriptors: 1024 nsslapd-max-filter-nest-level: 40 nsslapd-ndn-cache-enabled: on nsslapd-sasl-mapping-fallback: off -nsslapd-dynamic-plugins: off +nsslapd-dynamic-plugins: on nsslapd-allow-hashed-passwords: off dn: cn=features,cn=config diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index e890aed..e13c468 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -1567,7 +1567,7 @@ FrontendConfig_init () { init_plugin_logging = cfg-plugin_logging = LDAP_OFF; init_listen_backlog_size = cfg-listen_backlog_size = DAEMON_LISTEN_SIZE; init_ignore_time_skew = cfg-ignore_time_skew = LDAP_OFF; - init_dynamic_plugins = cfg-dynamic_plugins = LDAP_OFF; + init_dynamic_plugins = cfg-dynamic_plugins = LDAP_ON; init_cn_uses_dn_syntax_in_dns = cfg-cn_uses_dn_syntax_in_dns = LDAP_OFF; #if defined(LINUX) init_malloc_mxfast = cfg-malloc_mxfast = DEFAULT_MALLOC_UNSET; 3.) Build make -j1 -f rpm.mk rpms -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0236] ipaldap: Fallback to string if datetime conversion went wrong
On 26.6.2014 09:40, Petr Viktorin wrote: On 06/26/2014 09:33 AM, Jan Cholasta wrote: On 26.6.2014 09:21, Petr Viktorin wrote: On 06/26/2014 08:30 AM, Jan Cholasta wrote: On 25.6.2014 18:25, Petr Viktorin wrote: On 06/25/2014 05:29 PM, Jan Cholasta wrote: Hi, On 25.6.2014 17:17, Tomas Babej wrote: Hi, Our datetime conversion does not support full LDAP Generalized time syntax. In the unsupported cases, we should fall back to string representation of the attribute. In particular, '0' is used to denote no value of LDAP generalized time attribute. https://fedorahosted.org/freeipa/ticket/4350 NACK, this beats the purpose of decoding of the values, because it requires you to check the type of the value before using it. Instead, you should either fix the code that uses the nsds5ReplicaLastUpdate{Start,End} attributes to access their raw value directly, or exclude the attributes from decoding to datetime by overriding their type in IPASimpleLDAPObject._SYNTAX_OVERRIDE. Honza I agree that just returning a string when conversion fails is the wrong thing to do. I think that if LDAP generalized can contain the empty/invalid value, we should convert the '0' to what Python uses for that -- None. But None already means empty attribute. I don't think you can get [None] currently, can you? None is the default default for get(), but I don't think that's a problem. You can't, but you can get it from single_value when the attribute is empty or assign it to an attribute to make it empty. I would very much prefer if we avoided None, because it will only create mess and possibly some hard to catch errors. The problem is that unset is a valid value here, It is not, according to Generalized Time syntax (RFC 4517 section 3.3.13) 0 is an invalid value and we should treat it the same way as any other invalid value (hence my original suggestion). and None is the Python representation for that. If it has to make single_value ambiguous, I'd be fine with that -- single_value is just a helper. But, shouldn't single_value[x] raise KeyError if the attribute is missing? It does. When attribute is empty/None, it is unset, not missing. There is old code which depends on this. As for setting, there is a difference between entry.single_value[x] = None and del entry[x] and we should use the correct one for each case. Yes, but until the old code is fixed, None has a special meaning and can't be used for anything else. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Design Review Keytab Retrieval
On 06/26/2014 04:29 AM, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 17:24 -0400, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 14:35 -0400, Simo Sorce wrote: - Original Message - - Original Message - Can you check if ipaProtectedOperation is in the aci attribute in the base tree object ? It should be there as excluded, and that should cause admin to not be able to retrieve keytabs. It was not. While running ipa-ldap-updater I got the following: InvalidSyntax: ACL Syntax Error(-5):(targetattr= \22ipaProtectedOperation;write_keys\22)(version 3.0; acl \22Admins are allowed to rekey any entity\22; allow(write) groupdn = \22ldap:///cn=admins: Invalid syntax. Uhmm I do not see anything obviously wrong with ACI instruction, it looks just like the one I replace, Ideas ? Do you have ipaProtectedOperation in the schema ? (I rebased patch 3 but will wait to send a patchset until we understand (and fix) why this is failing to update. Ok, apparently it was a quoting issue in the .update files, hopefully that's the only issue (I am at a conference today and do not have my test env. handy). The attached patches are rebased on the latest master. 0001: Line 555 has very wrong indentation. I don't see anything else wrong in the other patches. I've tested everything and it works as designed. I have CC'd everyone who was involved with review at any point on these patches. This serves as my public notice that I'd like to ACK the next round of patches. If anyone has anything else to add, please do it before tomorrow evening. Thanks! Nathaniel ACK Nathaniel Pushed all 6 patches to master. Thanks for careful review! Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0236] ipaldap: Fallback to string if datetime conversion went wrong
On 06/26/2014 10:33 AM, Jan Cholasta wrote: On 26.6.2014 09:40, Petr Viktorin wrote: On 06/26/2014 09:33 AM, Jan Cholasta wrote: On 26.6.2014 09:21, Petr Viktorin wrote: On 06/26/2014 08:30 AM, Jan Cholasta wrote: On 25.6.2014 18:25, Petr Viktorin wrote: On 06/25/2014 05:29 PM, Jan Cholasta wrote: Hi, On 25.6.2014 17:17, Tomas Babej wrote: Hi, Our datetime conversion does not support full LDAP Generalized time syntax. In the unsupported cases, we should fall back to string representation of the attribute. In particular, '0' is used to denote no value of LDAP generalized time attribute. https://fedorahosted.org/freeipa/ticket/4350 NACK, this beats the purpose of decoding of the values, because it requires you to check the type of the value before using it. Instead, you should either fix the code that uses the nsds5ReplicaLastUpdate{Start,End} attributes to access their raw value directly, or exclude the attributes from decoding to datetime by overriding their type in IPASimpleLDAPObject._SYNTAX_OVERRIDE. Honza [...] The problem is that unset is a valid value here, It is not, according to Generalized Time syntax (RFC 4517 section 3.3.13) 0 is an invalid value and we should treat it the same way as any other invalid value (hence my original suggestion). OK, in that case ignore what I said here. So am I correct that 389-ds storing a value that doesn't comply with the attribute's syntax? Should we file a DS bug? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FYI: Cert for https://www.freeipa.org/ is invalid
On 06/26/2014 07:28 AM, James wrote: I think it's kind of funny that the cert for: https://www.freeipa.org/ is invalid, particularly since this is a security product. In any case, feel free to forward to whoever maintains this in case someone thinks it matters. Cheers, James You are of course right. Given that OpenShift (where the wiki is running) now supports certificates for aliases, it is possible to configure the certificate. I have started the machinery, stay tuned. Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0236] ipaldap: Fallback to string if datetime conversion went wrong
On 26.6.2014 10:39, Petr Viktorin wrote: On 06/26/2014 10:33 AM, Jan Cholasta wrote: On 26.6.2014 09:40, Petr Viktorin wrote: On 06/26/2014 09:33 AM, Jan Cholasta wrote: On 26.6.2014 09:21, Petr Viktorin wrote: On 06/26/2014 08:30 AM, Jan Cholasta wrote: On 25.6.2014 18:25, Petr Viktorin wrote: On 06/25/2014 05:29 PM, Jan Cholasta wrote: Hi, On 25.6.2014 17:17, Tomas Babej wrote: Hi, Our datetime conversion does not support full LDAP Generalized time syntax. In the unsupported cases, we should fall back to string representation of the attribute. In particular, '0' is used to denote no value of LDAP generalized time attribute. https://fedorahosted.org/freeipa/ticket/4350 NACK, this beats the purpose of decoding of the values, because it requires you to check the type of the value before using it. Instead, you should either fix the code that uses the nsds5ReplicaLastUpdate{Start,End} attributes to access their raw value directly, or exclude the attributes from decoding to datetime by overriding their type in IPASimpleLDAPObject._SYNTAX_OVERRIDE. Honza [...] The problem is that unset is a valid value here, It is not, according to Generalized Time syntax (RFC 4517 section 3.3.13) 0 is an invalid value and we should treat it the same way as any other invalid value (hence my original suggestion). OK, in that case ignore what I said here. So am I correct that 389-ds storing a value that doesn't comply with the attribute's syntax? Should we file a DS bug? AFAIK syntax checks are done only on LDAP adds and mods, so unless we are setting 0 somewhere and DS does not complain, it is not a bug. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [Freeipa-interest] Announcing bind-dyndb-ldap version 5.0
The FreeIPA team is proud to announce bind-dyndb-ldap version 5.0. It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/ The new version has also been built for Fedora 20 and and is on its way to updates-testing: https://admin.fedoraproject.org/updates/bind-dyndb-ldap-5.0-1.fc20 Release to Fedora 'updates' repo will be coordinated with FreeIPA 4.0 release to prevent breakages. == Changes in 5.0 == [1] Support for DNSSEC in-line signing was added. Now any LDAP zone can be signed with keys provided by user. [2] DNSKEY, RRSIG, NSEC and NSEC3 records are automatically managed by BIND+bind-dyndb-ldap. Respective attributes in LDAP are ignored. [3] Forwarder semantic was changed to match BIND's semantics: - idnsZone object always represents master zone - idnsForwardZone object (new) always represents forward zone [4] Master root zone can be stored in LDAP. == Upgrading == A server can be upgraded by installing updated RPM. BIND has to be restarted manually after the RPM installation. !!! CAUTION !!! idnsZone object class changed it's semantics. Please read https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/plain/README and update idnsForwarders and idnsForward policy attributes in your DNS zones accordingly. Transition from idnsZone to idnsForwardZone object class can be made seamless if you change data in LDAP before you upgrade to version 5.x. All bind-dyndb-ldap versions = 3.0 support the idnsForwardZone object class. Users of FreeIPA 4.0 should be careful when upgrading bind-dyndb-ldap to version = 5.0 (if they do not upgrade to FreeIPA 4.x at the same time). Configuration semantics related to conditional (per-zone) forwarding has changed and FreeIPA 4.0 doesn't have appropriate user interface and API. It is safe to upgrade if you use *only* global forwarders (shown by 'ipa dnsconfig-show') and *do not* use per-zone forwarders (shown by 'ipa dnszone-show'). Don't hesitate to ask freeipa-users mailing list if you need help with upgrade. !!! CAUTION !!! Downgrading back to any 4.x version is supported. == Feedback == Please provide comments, report bugs and send any other feedback via the freeipa-users mailing list: http://www.redhat.com/mailman/listinfo/freeipa-users -- Petr Spacek @ Red Hat ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 302 Do not corrupt sshd_config in client install when trailing newline is missing
On 06/18/2014 03:56 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4373. Honza Works fine, tested with # perl -i -pe 'chomp if eof' /etc/ssh/sshd_config trick. ACK, pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 676 rpcserver: fix local vs utc time comparison
On 25.6.2014 17:36, Jan Cholasta wrote: Hi, On 24.6.2014 16:02, Petr Vobornik wrote: login_password did not work properly in timezones other than +0h because local time was compared with utc time. ACK. pushed to master: 1c94edd3a09711d85ba099bd815c0bdd8f0210c1 rpcserver: fix local vs utc time comparison Bug introduced in: https://fedorahosted.org/freeipa/ticket/4339 We should review other code for invalid usage of datetime.now() All other uses of datetime.now() predate LDAP datetime decoding, so I think we are fine. Honza -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 302 Do not corrupt sshd_config in client install when trailing newline is missing
On 06/26/2014 12:18 PM, Martin Kosek wrote: On 06/18/2014 03:56 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4373. Honza Works fine, tested with # perl -i -pe 'chomp if eof' /etc/ssh/sshd_config trick. ACK, pushed to master. Martin It would be really nice to have some tests for this function. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 659-666 Support of password reset with OTP
On 25.6.2014 19:41, Endi Sukma Dewata wrote: On 6/20/2014 10:18 AM, Petr Vobornik wrote: On 11.6.2014 15:19, Petr Vobornik wrote: Patch set contains both API/server and Web UI parts. [PATCH] 659 ldap2: add otp support to modify_password [PATCH] 660 rpcserver: add otp support to change_password handler [PATCH] 661 ipa-passwd: add OTP support [PATCH] 662 webui: support password change with OTP in login screen [PATCH] 663 webui: placeholder attribute support in textbox and textarea [PATCH] 664 webui: add placeholders to login screen [PATCH] 665 webui: rebase user password dialog on password dialog and add otp support [PATCH] 666 webui: support otp in reset_password.html https://fedorahosted.org/freeipa/ticket/4262 attaching rebased patches (mainly because of VERSION conflict) ACK. Possible improvements (some of which are already discussed on IRC): pushed to master: * 7fca783ec554e525465221af13e17f419769c760 ldap2: add otp support to modify_password * 896920ed12a4601a60ac6a7e6f4f13d9ca48df77 rpcserver: add otp support to change_password handler * 2df654223259ca336843f37a229838e125c874d6 ipa-passwd: add OTP support * f9adc5a5f3ed84ae23c4261f7316ad2e84952d68 webui: support password change with OTP in login screen * 6e7d4ad468854cce8a9a76f3abf8268e3813ff93 webui: placeholder attribute support in textbox and textarea * e3de46767683c5050377cc5e683cd6e3d28ea4e9 webui: add placeholders to login screen * 870db2f677dff01750aeec104c90fce3ca0e54be webui: rebase user password dialog on password dialog and add otp support * 70c77e6a3cfe1a4fbfb5f053a4d47dd2e47d8b3b webui: support otp in reset_password.html I've shamelessly copied all 13 items into new trac ticket https://fedorahosted.org/freeipa/ticket/4402 to track these possible improvements. We can create separate tickets for issues 8,9,11,12,13 if needed. 1. The clock interval field in the Add OTP Token dialog could be disabled for HOTP. 2. The clock interval and counter fields (and probably some other fields too) in the OTP Token details page could be hidden depending on the token type. 3. The Add OTP Token dialog could provide more descriptive token types: time-based or counter-based token instead of just TOTP or HOTP. 4. The OTP Token details page could show the token type (I suppose the model may not be descriptive enough). 5. It would be nice to have a link/button to add OTP Token from the user details page with the owner already set to the user. 6. The clock interval should have a unit of measurements (i.e. seconds). 7. When logging in with an expired password, the user will be asked to reset a password and enter an OTP. Although OTP means one-time password, some users could be confusing it with the OTP he/she just entered in the previous page. It would be nicer to say New OTP or add an explanation Wait for a new OTP to make sure the user enters a new OTP. 8. In the User authentication types field it might be better to say password + OTP instead of just otp. The checkbox value can remain otp. 9. The User authentication types is a bit confusing because if none are selected it doesn't mean that no authentication is allowed, but it means it's unset and it will use the global setting. The UI probably should provide a separate radio button to select Use global setting or show the effective setting next to it. 10. The Default user authentication types in the global setting is a bit confusing because by default nothing is selected but the actual default is supposedly not empty. 11. Ideally the password reset page/dialog should indicate whether the old password and the OTP are required based on the actual authentication type available to the user. 12. Ideally there should be a way to display the QR code of an existing OTP token. 13. The UI could also provide a link to download the OTP app or a list of supported apps. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On Wed, 25 Jun 2014, Nathaniel McCallum wrote: On Wed, 2014-06-25 at 09:53 -0400, Nathaniel McCallum wrote: On Wed, 2014-06-25 at 13:35 +0300, Alexander Bokovoy wrote: On Mon, 23 Jun 2014, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 10:29 +0300, Alexander Bokovoy wrote: On Fri, 20 Jun 2014, Nathaniel McCallum wrote: On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote: This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey === NOTE === 1. This patch depends on the new Fedora package: python-yubico. If you would like to help with the package review, please assign yourself here: https://bugzilla.redhat.com/show_bug.cgi?id=334 New version of the patch. This one works (yay!). 1. Because of the dependency on python-yubico, is this feature something we want in core FreeIPA? As a subpackage? Separate project altogether? The only dependency for python-yubico is pyusb. I'd prefer to have it integrated but have a separate dummy subpackage that pulls in all required dependencies, like, freeipa-tools-yubico. Instead of failing when 'ipa otptoken-add-yubikey' is called, please wrap the python-yubico import into a code that allows reporting a message back to the user advising to install the package. Who is a supposed user for this command? IPA command line interface isn't usually available on enrolled machines even though underlying Python modules are all there. Are we talking about admins or just users? As discussed on IRC, we are currently hard-coding lots of optional dependencies. And breaking this apart into subpackages can be solved at a later point. YubiKey is also a unique case: we don't expect to be adding many more plugins like this. For these reasons, I have kept this as a hard dependency. To ease this transition, I have added python-yubico to F20 and EL6. You can help with the update review here: https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.fc20 https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.el6 3. This code currently emits a warning from the call to otptoken-add: WARNING: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.89 How do I fix this? Do not filter 'version' field in options in execute(). I opted to not filter out version rather than hard-code it (pviktori's suggestion). This is based on the fact that otptoken-add-yubikey is tightly integrated with otptoken-add (even using some of the class attributes from otptoken). 4. I am not sure why I have to delete the summary and value keys from the return dictionary. It would be nice to display this summary message just like otptoken-add. I still need help on this. 5. Am I doing the ipatoken(vendor|model|serial) options correctly? These aren't user settable, but we need to pass them from the yubikey (client-side) to the server. This is no longer needed since I am doing everything in forward(). However, listing these three as output params causes them to appear before the token's ID. I don't think this is the right way to output these. But this seems to me a framework issue. 6. I'm not sure my use of assert or ValueError are correct. What should I do here? Still need help here. Fixed this part. 7. Considering that this is just a specialized invocation of otptoken-add, can't we do this all on the client-side? This is why I had originally used frontend.Local rather than frontend.Command. You don't need to implement execute then, only forward, where you'll forward your call to the server under otptoken_add name. Typically in #forward we call super's forward but that is because we in Command.forward() we simply forward the command to the remote backend, using the self.name. In your case we shouldn't really have a separate command on the server under the same name, so you'll need to avoid calling So, it should look like this: def forward(self, *args, **kw): perform yubikey initialization filter out kw and args, if needed return self.Backend.rpcclient.forward('otptoken_add', *args, **kw) See service_show implementation for an example. Fixed. I'm attaching few fixups to the patch that make it proper reporting for non-Yubikey case and also properly update VERSION. Provisional ACK. Merged. This patch includes everything above and fixes the missing ./makeapi run. ACK. Please do not commit it yet as there is a specific order in which all these patches should be committed. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0055] Add /session/token_sync POST support
On Wed, 25 Jun 2014, Nathaniel McCallum wrote: On Wed, 2014-06-25 at 13:21 +0300, Alexander Bokovoy wrote: On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Mon, 2014-06-02 at 23:07 -0400, Nathaniel McCallum wrote: This HTTP call takes the following parameters: * user * password * first_code * second_code * token (optional) Using this information, the server will perform token synchronization. If the token is not specified, all tokens will be searched for synchronization. Otherwise, only the token specified will be searched. This patch depends on my patch #0054. Attached is a new revision. This version should force an update to /etc/httpd/conf.d/ipa.conf on update. It is also rebased on master. ACK with condition that you apply attached fixups. Since token that is passed by 'ipa otptoken-sync' command is not a full DN, we need to support both cases, when DN and just a name is passed. Attached patch fixes this. Applied. ACK. This should be committed first one. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On Wed, 25 Jun 2014, Nathaniel McCallum wrote: On Wed, 2014-06-25 at 13:18 +0300, Alexander Bokovoy wrote: On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 09:18 -0400, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Thanks, fixed. Attached is a new revision which is rebased on master. In addition it: 1. Moves user to a parameter and moves token to an argument. Doing it this way both mirrors the existing otptoken APIs and sets us up for future Kerberos based syncing where the username/password will be optional. 2. Converts the token ID to a DN. ACK. Please do not commit this patch yet, we are not done with its dependencies. As discussed off list, we also needed to verify the certificate so that passwords were not sent in the clear to a MITM. This has now been implemented. VERSION is bumped and ./makeapi was run. This patch is also rebased on top of my patch 0058 (which is already ACK'd), so 0058 needs to be merged before this patch (0056). Right. There is one small fix that need to be squashed prior to committing as pylint cannot get insights into function states. The patch attached. With it, ACK. -- / Alexander Bokovoy From b1e75c884fd5303dce038e4f3dc6158d93785671 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 26 Jun 2014 13:16:47 +0300 Subject: [PATCH 4/4] fixup! Add otptoken-sync command --- ipalib/plugins/otptoken.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index 46ad77a..7b9e256 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -394,7 +394,7 @@ class otptoken_remove_managedby(LDAPRemoveMember): class HTTPSConnection(httplib.HTTPConnection): Generates an SSL HTTP connection that performs hostname validation. -ssl_kwargs = ssl.wrap_socket.func_code.co_varnames[1:ssl.wrap_socket.func_code.co_argcount] +ssl_kwargs = ssl.wrap_socket.func_code.co_varnames[1:ssl.wrap_socket.func_code.co_argcount] #pylint: disable=E1101 default_port = httplib.HTTPS_PORT def __init__(self, host, **kwargs): -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 302 Do not corrupt sshd_config in client install when trailing newline is missing
On 26.6.2014 12:43, Petr Viktorin wrote: On 06/26/2014 12:18 PM, Martin Kosek wrote: On 06/18/2014 03:56 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4373. Honza Works fine, tested with # perl -i -pe 'chomp if eof' /etc/ssh/sshd_config trick. ACK, pushed to master. Martin It would be really nice to have some tests for this function. It would be even nicer to use Augeas to handle this. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0078-0079] DNSEC: Add TLSA record
On 25.6.2014 14:35, Martin Basti wrote: On Wed, 2014-06-25 at 14:31 +0200, Martin Basti wrote: Ticket https://fedorahosted.org/freeipa/ticket/4328#comment:12 Patches attached. Note: ACI will be updated in another patch which fix ACIs in DNS plugin Patches are here What are patch 0078's dependencies? I'm missing necessary blobs.. (current master). Also it requires rebase because of today's pushes to master (VERSION conflict). -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Design Review Keytab Retrieval
On Thu, 26 Jun 2014, Martin Kosek wrote: On 06/26/2014 04:29 AM, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 17:24 -0400, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 14:35 -0400, Simo Sorce wrote: - Original Message - - Original Message - Can you check if ipaProtectedOperation is in the aci attribute in the base tree object ? It should be there as excluded, and that should cause admin to not be able to retrieve keytabs. It was not. While running ipa-ldap-updater I got the following: InvalidSyntax: ACL Syntax Error(-5):(targetattr= \22ipaProtectedOperation;write_keys\22)(version 3.0; acl \22Admins are allowed to rekey any entity\22; allow(write) groupdn = \22ldap:///cn=admins: Invalid syntax. Uhmm I do not see anything obviously wrong with ACI instruction, it looks just like the one I replace, Ideas ? Do you have ipaProtectedOperation in the schema ? (I rebased patch 3 but will wait to send a patchset until we understand (and fix) why this is failing to update. Ok, apparently it was a quoting issue in the .update files, hopefully that's the only issue (I am at a conference today and do not have my test env. handy). The attached patches are rebased on the latest master. 0001: Line 555 has very wrong indentation. I don't see anything else wrong in the other patches. I've tested everything and it works as designed. I have CC'd everyone who was involved with review at any point on these patches. This serves as my public notice that I'd like to ACK the next round of patches. If anyone has anything else to add, please do it before tomorrow evening. Thanks! Nathaniel ACK Nathaniel Pushed all 6 patches to master. Thanks for careful review! Unfortunately, at least enctype marshalling is wrong with these patches. Samba does not work anymore with the keytab fetched in new version. We see following in the keytab: Keytab name: FILE:/etc/samba/samba.keytab KVNO Timestamp Principal - 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 274) 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 273) 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 272) 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 279) Note that etype is unresolvable. In the build without these patches we get something like 1 06/23/2014 16:28:59 cifs/vm-139.dom139.tbad.idm.lab.eng.brq.redhat@dom139.tbad.idm.lab.eng.brq.redhat.com (aes256-cts-hmac-sha1-96) So this patchset needs an improvement before release. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Design Review Keytab Retrieval
On 06/26/2014 02:33 PM, Alexander Bokovoy wrote: On Thu, 26 Jun 2014, Martin Kosek wrote: On 06/26/2014 04:29 AM, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 17:24 -0400, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 14:35 -0400, Simo Sorce wrote: - Original Message - - Original Message - Can you check if ipaProtectedOperation is in the aci attribute in the base tree object ? It should be there as excluded, and that should cause admin to not be able to retrieve keytabs. It was not. While running ipa-ldap-updater I got the following: InvalidSyntax: ACL Syntax Error(-5):(targetattr= \22ipaProtectedOperation;write_keys\22)(version 3.0; acl \22Admins are allowed to rekey any entity\22; allow(write) groupdn = \22ldap:///cn=admins: Invalid syntax. Uhmm I do not see anything obviously wrong with ACI instruction, it looks just like the one I replace, Ideas ? Do you have ipaProtectedOperation in the schema ? (I rebased patch 3 but will wait to send a patchset until we understand (and fix) why this is failing to update. Ok, apparently it was a quoting issue in the .update files, hopefully that's the only issue (I am at a conference today and do not have my test env. handy). The attached patches are rebased on the latest master. 0001: Line 555 has very wrong indentation. I don't see anything else wrong in the other patches. I've tested everything and it works as designed. I have CC'd everyone who was involved with review at any point on these patches. This serves as my public notice that I'd like to ACK the next round of patches. If anyone has anything else to add, please do it before tomorrow evening. Thanks! Nathaniel ACK Nathaniel Pushed all 6 patches to master. Thanks for careful review! Unfortunately, at least enctype marshalling is wrong with these patches. Samba does not work anymore with the keytab fetched in new version. We see following in the keytab: Keytab name: FILE:/etc/samba/samba.keytab KVNO Timestamp Principal - 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 274) 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 273) 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 272) 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 279) Note that etype is unresolvable. In the build without these patches we get something like 1 06/23/2014 16:28:59 cifs/vm-139.dom139.tbad.idm.lab.eng.brq.redhat@dom139.tbad.idm.lab.eng.brq.redhat.com (aes256-cts-hmac-sha1-96) So this patchset needs an improvement before release. FYI: I filed https://fedorahosted.org/freeipa/ticket/4404 , setting up this as blocker. -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
On 16.6.2014 15:35, Jan Cholasta wrote: Hi, the attached patches implement https://fedorahosted.org/freeipa/ticket/3737. My patches 241-253 and 262-294 are required for this (http://www.redhat.com/archives/freeipa-devel/2014-June/msg00276.html, http://www.redhat.com/archives/freeipa-devel/2014-June/msg00307.html). The installation/testing guidelines from http://www.redhat.com/archives/freeipa-devel/2014-March/msg00385.html apply here as well. Honza Rebased on top of current master. -- Jan Cholasta From 6d234a5f8756876a980a7a0c15fca64fe0a6a975 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Fri, 13 Jun 2014 14:44:03 +0200 Subject: [PATCH 1/5] Add new NSSDatabase method get_cert for getting certs from NSS databases. Part of https://fedorahosted.org/freeipa/ticket/3737 --- ipaserver/install/certs.py | 14 +- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 118cf77..37b102c 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -211,9 +211,21 @@ class NSSDatabase(object): raise RuntimeError( Setting trust on %s failed % root_nickname) +def get_cert(self, nickname, pem=False): +args = ['-L', '-n', nickname] +if pem: +args.append('-a') +else: +args.append('-r') +try: +cert, err, returncode = self.run_certutil(args) +except ipautil.CalledProcessError: +raise RuntimeError(Failed to get %s % nickname) +return cert + def export_pem_cert(self, nickname, location): Export the given cert to PEM file in the given location -cert, err, returncode = self.run_certutil([-L, -n, nickname, -a]) +cert = self.get_cert(nickname) with open(location, w+) as fd: fd.write(cert) os.chmod(location, 0444) -- 1.9.0 From f4b9c00871caab73201d12f24a3b158c03742eba Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Fri, 13 Jun 2014 14:45:29 +0200 Subject: [PATCH 2/5] Allow changing chaining of the IPA CA certificate in ipa-cacert-manage. Part of https://fedorahosted.org/freeipa/ticket/3737 --- install/tools/man/ipa-cacert-manage.1 | 6 + ipaserver/install/ipa_cacert_manage.py | 41 +++--- 2 files changed, 39 insertions(+), 8 deletions(-) diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1 index 92fe717..cf42b24 100644 --- a/install/tools/man/ipa-cacert-manage.1 +++ b/install/tools/man/ipa-cacert-manage.1 @@ -42,6 +42,12 @@ When the IPA CA is not configured, this command is not available. \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR The Directory Manager password to use for authentication. .TP +\fB\-\-self\-signed\fR +Sign the renewed certificate by itself. +.TP +\fB\-\-external\-ca\fR +Sign the renewed certificate by external CA. +.TP \fB\-\-external\-cert\-file\fR=\fIFILE\fR PEM file containing a certificate signed by the external CA. Must be given with \-\-external\-ca\-file. .TP diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py index f6f3a8b..a0aa355 100644 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@ -28,7 +28,7 @@ import krbV from ipapython import admintool, certmonger, ipautil from ipapython.dn import DN from ipaplatform.paths import paths -from ipalib import api, errors, x509, util +from ipalib import api, errors, x509, certstore from ipaserver.install import certs, cainstance, installutils from ipaserver.plugins.ldap2 import ldap2 @@ -52,6 +52,14 @@ class CACertManage(admintool.AdminTool): renew_group = OptionGroup(parser, Renew options) renew_group.add_option( +--self-signed, dest='self_signed', +action='store_true', +help=Sign the renewed certificate by itself) +renew_group.add_option( +--external-ca, dest='self_signed', +action='store_false', +help=Sign the renewed certificate by external CA) +renew_group.add_option( --external-cert-file, dest='external_cert_file', help=PEM file containing a certificate signed by the external CA) renew_group.add_option( @@ -146,7 +154,12 @@ class CACertManage(admintool.AdminTool): if options.external_cert_file: return self.renew_external_step_2(ca, cert) -if x509.is_self_signed(cert, x509.DER): +if options.self_signed is not None: +self_signed = options.self_signed +else: +self_signed = x509.is_self_signed(cert, x509.DER) + +if self_signed: return self.renew_self_signed(ca) else: return self.renew_external_step_1(ca) @@ -179,20 +192,19 @@ class CACertManage(admintool.AdminTool):
Re: [Freeipa-devel] [PATCH 0055] Add /session/token_sync POST support
On 06/26/2014 01:01 PM, Alexander Bokovoy wrote: On Wed, 25 Jun 2014, Nathaniel McCallum wrote: On Wed, 2014-06-25 at 13:21 +0300, Alexander Bokovoy wrote: On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Mon, 2014-06-02 at 23:07 -0400, Nathaniel McCallum wrote: This HTTP call takes the following parameters: * user * password * first_code * second_code * token (optional) Using this information, the server will perform token synchronization. If the token is not specified, all tokens will be searched for synchronization. Otherwise, only the token specified will be searched. This patch depends on my patch #0054. Attached is a new revision. This version should force an update to /etc/httpd/conf.d/ipa.conf on update. It is also rebased on master. ACK with condition that you apply attached fixups. Since token that is passed by 'ipa otptoken-sync' command is not a full DN, we need to support both cases, when DN and just a name is passed. Attached patch fixes this. Applied. ACK. This should be committed first one. Pushed to master. I just added link to https://fedorahosted.org/freeipa/ticket/4218 to the patch description. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 691 webui-ci: fix action list action visibility and enablement assertion
Fixes CA-less CI test fail The new html structure was not addressed properly. -- Petr Vobornik From a0e2e83470d1ca2c5f6f286e59588b10eb5f75bc Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 26 Jun 2014 14:38:05 +0200 Subject: [PATCH] webui-ci: fix action list action visibility and enablement assertion The new html structure was not addressed properly. --- ipatests/test_webui/ui_driver.py | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py index 3f40efd5a35691508185604349ae208a472000b9..047009a295838d0053c9c0e378e97b480db6a0e7 100644 --- a/ipatests/test_webui/ui_driver.py +++ b/ipatests/test_webui/ui_driver.py @@ -1734,16 +1734,17 @@ class UI_driver(object): if not parent: parent = self.get_form() -s = .facet-actions li[data-name='%s'] a % action -link = self.find(s, By.CSS_SELECTOR, parent) +s = .facet-actions li[data-name='%s'] % action +li = self.find(s, By.CSS_SELECTOR, parent) +link = self.find(a, By.CSS_SELECTOR, li) -is_visible = link is not None and link.is_displayed() +is_visible = li is not None and link is not None is_enabled = False assert is_visible == visible, ('Invalid visibility of action item: %s. ' 'Expected: %s') % (action, str(visible)) if is_visible: -is_enabled = not self.has_class(link, 'disabled') +is_enabled = not self.has_class(li, 'disabled') assert is_enabled == enabled, ('Invalid enabled state of action item %s. ' 'Expected: %s') % (action, str(visible)) -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command
On 06/26/2014 01:02 PM, Alexander Bokovoy wrote: On Wed, 25 Jun 2014, Nathaniel McCallum wrote: On Wed, 2014-06-25 at 13:18 +0300, Alexander Bokovoy wrote: On Tue, 24 Jun 2014, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 09:18 -0400, Nathaniel McCallum wrote: On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote: On 3.6.2014 05:08, Nathaniel McCallum wrote: This command calls the token sync HTTP POST call in the server providing the CLI interface to synchronization. https://fedorahosted.org/freeipa/ticket/4260 This patch depends on my patch #0055. Build fails on validation. You forgot to update API.txt and also the command misses __doc__. (not a proper review) Thanks, fixed. Attached is a new revision which is rebased on master. In addition it: 1. Moves user to a parameter and moves token to an argument. Doing it this way both mirrors the existing otptoken APIs and sets us up for future Kerberos based syncing where the username/password will be optional. 2. Converts the token ID to a DN. ACK. Please do not commit this patch yet, we are not done with its dependencies. As discussed off list, we also needed to verify the certificate so that passwords were not sent in the clear to a MITM. This has now been implemented. VERSION is bumped and ./makeapi was run. This patch is also rebased on top of my patch 0058 (which is already ACK'd), so 0058 needs to be merged before this patch (0056). Right. There is one small fix that need to be squashed prior to committing as pylint cannot get insights into function states. The patch attached. With it, ACK. Fixed VERSION conflict, squashed fixup patch and pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
On 06/25/2014 03:53 PM, Nathaniel McCallum wrote: On Wed, 2014-06-25 at 13:35 +0300, Alexander Bokovoy wrote: On Mon, 23 Jun 2014, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 10:29 +0300, Alexander Bokovoy wrote: On Fri, 20 Jun 2014, Nathaniel McCallum wrote: On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote: This command behaves almost exactly like otptoken-add except: 1. The new token data is written directly to a YubiKey 2. The vendor/model/serial fields are populated from the YubiKey === NOTE === 1. This patch depends on the new Fedora package: python-yubico. If you would like to help with the package review, please assign yourself here: https://bugzilla.redhat.com/show_bug.cgi?id=334 New version of the patch. This one works (yay!). 1. Because of the dependency on python-yubico, is this feature something we want in core FreeIPA? As a subpackage? Separate project altogether? The only dependency for python-yubico is pyusb. I'd prefer to have it integrated but have a separate dummy subpackage that pulls in all required dependencies, like, freeipa-tools-yubico. Instead of failing when 'ipa otptoken-add-yubikey' is called, please wrap the python-yubico import into a code that allows reporting a message back to the user advising to install the package. Who is a supposed user for this command? IPA command line interface isn't usually available on enrolled machines even though underlying Python modules are all there. Are we talking about admins or just users? As discussed on IRC, we are currently hard-coding lots of optional dependencies. And breaking this apart into subpackages can be solved at a later point. YubiKey is also a unique case: we don't expect to be adding many more plugins like this. For these reasons, I have kept this as a hard dependency. To ease this transition, I have added python-yubico to F20 and EL6. You can help with the update review here: https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.fc20 https://admin.fedoraproject.org/updates/python-yubico-1.2.1-3.el6 3. This code currently emits a warning from the call to otptoken-add: WARNING: API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.89 How do I fix this? Do not filter 'version' field in options in execute(). I opted to not filter out version rather than hard-code it (pviktori's suggestion). This is based on the fact that otptoken-add-yubikey is tightly integrated with otptoken-add (even using some of the class attributes from otptoken). 4. I am not sure why I have to delete the summary and value keys from the return dictionary. It would be nice to display this summary message just like otptoken-add. I still need help on this. 5. Am I doing the ipatoken(vendor|model|serial) options correctly? These aren't user settable, but we need to pass them from the yubikey (client-side) to the server. This is no longer needed since I am doing everything in forward(). However, listing these three as output params causes them to appear before the token's ID. I don't think this is the right way to output these. But this seems to me a framework issue. 6. I'm not sure my use of assert or ValueError are correct. What should I do here? Still need help here. Fixed this part. 7. Considering that this is just a specialized invocation of otptoken-add, can't we do this all on the client-side? This is why I had originally used frontend.Local rather than frontend.Command. You don't need to implement execute then, only forward, where you'll forward your call to the server under otptoken_add name. Typically in #forward we call super's forward but that is because we in Command.forward() we simply forward the command to the remote backend, using the self.name. In your case we shouldn't really have a separate command on the server under the same name, so you'll need to avoid calling So, it should look like this: def forward(self, *args, **kw): perform yubikey initialization filter out kw and args, if needed return self.Backend.rpcclient.forward('otptoken_add', *args, **kw) See service_show implementation for an example. Fixed. I'm attaching few fixups to the patch that make it proper reporting for non-Yubikey case and also properly update VERSION. Provisional ACK. Merged. Nathaniel There was a conflict on VERSION (thanks, Petr!) and API.txt was not regenerated. I fixed both and pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Design Review Keytab Retrieval
On Thu, 2014-06-26 at 15:33 +0300, Alexander Bokovoy wrote: On Thu, 26 Jun 2014, Martin Kosek wrote: On 06/26/2014 04:29 AM, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 17:24 -0400, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 14:35 -0400, Simo Sorce wrote: - Original Message - - Original Message - Can you check if ipaProtectedOperation is in the aci attribute in the base tree object ? It should be there as excluded, and that should cause admin to not be able to retrieve keytabs. It was not. While running ipa-ldap-updater I got the following: InvalidSyntax: ACL Syntax Error(-5):(targetattr= \22ipaProtectedOperation;write_keys\22)(version 3.0; acl \22Admins are allowed to rekey any entity\22; allow(write) groupdn = \22ldap:///cn=admins: Invalid syntax. Uhmm I do not see anything obviously wrong with ACI instruction, it looks just like the one I replace, Ideas ? Do you have ipaProtectedOperation in the schema ? (I rebased patch 3 but will wait to send a patchset until we understand (and fix) why this is failing to update. Ok, apparently it was a quoting issue in the .update files, hopefully that's the only issue (I am at a conference today and do not have my test env. handy). The attached patches are rebased on the latest master. 0001: Line 555 has very wrong indentation. I don't see anything else wrong in the other patches. I've tested everything and it works as designed. I have CC'd everyone who was involved with review at any point on these patches. This serves as my public notice that I'd like to ACK the next round of patches. If anyone has anything else to add, please do it before tomorrow evening. Thanks! Nathaniel ACK Nathaniel Pushed all 6 patches to master. Thanks for careful review! Unfortunately, at least enctype marshalling is wrong with these patches. Samba does not work anymore with the keytab fetched in new version. We see following in the keytab: Keytab name: FILE:/etc/samba/samba.keytab KVNO Timestamp Principal - 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 274) 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 273) 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 272) 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 279) Note that etype is unresolvable. In the build without these patches we get something like 1 06/23/2014 16:28:59 cifs/vm-139.dom139.tbad.idm.lab.eng.brq.redhat@dom139.tbad.idm.lab.eng.brq.redhat.com (aes256-cts-hmac-sha1-96) So this patchset needs an improvement before release. Working on this. I know, roughly what's going on, but still trying to pinpoint exactly the offender. (It is the ber marshalling/unmarshalling indeed). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 267-294 Support multiple CA certificates in LDAP
Comments buried deep inline. Jan Cholasta wrote: On 16.6.2014 22:36, Rob Crittenden wrote: Rob Crittenden wrote: Jan Cholasta wrote: Hi, the attached patches implement https://fedorahosted.org/freeipa/ticket/3259 and https://fedorahosted.org/freeipa/ticket/3520. This work depends on my patches 241-253 and 262-266 (http://www.redhat.com/archives/freeipa-devel/2014-June/msg00276.html). Note that automatic distribution of CA certificates to IPA systems is not implemented yet (it's planned for IPA 4.2, see https://fedorahosted.org/freeipa/ticket/4322), so /etc/ipa/ca.crt, /etc/pki/nssdb, /etc/dirsrv/slapd-REALM and /etc/httpd/alias are updated *only* during client/server install. 267 What is the purpose of this change? Won't this cause no certificates to be exported in the default case? diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 61a954f..3cd7a53 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -463,7 +463,7 @@ class CertDB(object): do that step. # export the CA cert for use with other apps ipautil.backup_file(self.cacert_fname) -root_nicknames = self.find_root_cert(nickname) +root_nicknames = self.find_root_cert(nickname)[:-1] fd = open(self.cacert_fname, w) for root in root_nicknames: (cert, stderr, returncode) = self.run_certutil([-L, -n, root, -a]) Or are you separating out issuing CA from the rest of the chain? find_root_cert() returns the certificate chain *including* the end-entity certificate. We want only CA certificates here. This is an error introduced in the CA-less rewrite. OK. 268 ACK 269 ACK 270 If a user has their own CA installed, such as the case where they used ipa-server-certinstall, this will break it. You can't install own CA with ipa-server-certinstall. I did not see anything break. Sorry, I wasn't very clear. Imagine the case where the user has replaced the server certificate in Apache with something issued by some other CA that requires that some CA certificates also be installed. This is a not-too-common but seen scenario, mostly to avoid having to trust the IPA CA in browsers. The way I read fix_trust_flags() is that it would remove the trust from unknown CA's which could cause the server to not start. IMHO you should leave alone certs you don't know about. What can be in the other set? Docs are needed. The trusted set is for trusted CA certs and the other set is for other CA certs. I will add a comment... You potentially add a bunch of certs with no trust, what is the purpose? No trust in this context means trust only for issuing CA certificates. The certs are there for the sole purpose of forming the CA chain, so they don't need to be trusted for anything else. 271 ipaSecretKey isn't mentioned on http://www.freeipa.org/page/V4/CA_certificate_renewal . What is it and does it need to be added now? This is the schema from http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema#Encoded_key_data. It is shared with DNSSEC. I will add a comment. 272 ACK 273 ACK 274 ACK 275 ACK 276 There isn't any error handling around the ASN.1 decoder. Is that wise? Probably not, but it's consistent with the rest of the x509 module - none of its functions do error handling, it is up to the caller. BTW I have started refactoring x509 code, but didn't have time to finish. The new code will include error handling. Well, sure, but it isn't doing ASN.1 decoding of raw certs either. A lot can go wrong there. There should be unit tests Yes. 277 There should be unit tests Yes. 278 When the certificate must be passed in as DER can you use dercert as the argument name so it's clear what is needed? OK. In update_ca_cert() and get_ca_certs() should the values for trust be case insensitive? It already is in update_ca_cert(), but get_ca_certs() does indeed need to be fixed. This breaks the convention where attribute names are always lower-case. I wasn't aware there is such a convention, especially so after seeing loads of mixed case attribute names all over IPA code. Anyway, I don't think it matters anymore, the new LDAP code has case-insensitive attribute names. Ok, I won't fight it, but look in ipalib/plugins. The majority of objectclasses/attributes are lower case. Anything otherwise was missed in review. I can't really grok add_ca_cert(). You are adding certs but removing values? Is this un-setting the list of trusted CA's maybe? It is unsetting ipaConfigString values from entries that should no longer have them. I will add a comment. There isn't a single comment in this file beyond the header. Sorry, will fix. 279 Looks ok 280 Why add the chain with no trust? See my comment for patch 270. OK 281 / 282 What is the difference between add_cert and import_cert other than
Re: [Freeipa-devel] Design Review Keytab Retrieval
On Thu, 2014-06-26 at 10:20 -0400, Simo Sorce wrote: On Thu, 2014-06-26 at 15:33 +0300, Alexander Bokovoy wrote: On Thu, 26 Jun 2014, Martin Kosek wrote: On 06/26/2014 04:29 AM, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 17:24 -0400, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 14:35 -0400, Simo Sorce wrote: - Original Message - - Original Message - Can you check if ipaProtectedOperation is in the aci attribute in the base tree object ? It should be there as excluded, and that should cause admin to not be able to retrieve keytabs. It was not. While running ipa-ldap-updater I got the following: InvalidSyntax: ACL Syntax Error(-5):(targetattr= \22ipaProtectedOperation;write_keys\22)(version 3.0; acl \22Admins are allowed to rekey any entity\22; allow(write) groupdn = \22ldap:///cn=admins: Invalid syntax. Uhmm I do not see anything obviously wrong with ACI instruction, it looks just like the one I replace, Ideas ? Do you have ipaProtectedOperation in the schema ? (I rebased patch 3 but will wait to send a patchset until we understand (and fix) why this is failing to update. Ok, apparently it was a quoting issue in the .update files, hopefully that's the only issue (I am at a conference today and do not have my test env. handy). The attached patches are rebased on the latest master. 0001: Line 555 has very wrong indentation. I don't see anything else wrong in the other patches. I've tested everything and it works as designed. I have CC'd everyone who was involved with review at any point on these patches. This serves as my public notice that I'd like to ACK the next round of patches. If anyone has anything else to add, please do it before tomorrow evening. Thanks! Nathaniel ACK Nathaniel Pushed all 6 patches to master. Thanks for careful review! Unfortunately, at least enctype marshalling is wrong with these patches. Samba does not work anymore with the keytab fetched in new version. We see following in the keytab: Keytab name: FILE:/etc/samba/samba.keytab KVNO Timestamp Principal - 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 274) 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 273) 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 272) 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat@dom136.tbad.idm.lab.eng.brq.redhat.com (etype 279) Note that etype is unresolvable. In the build without these patches we get something like 1 06/23/2014 16:28:59 cifs/vm-139.dom139.tbad.idm.lab.eng.brq.redhat@dom139.tbad.idm.lab.eng.brq.redhat.com (aes256-cts-hmac-sha1-96) So this patchset needs an improvement before release. Working on this. I know, roughly what's going on, but still trying to pinpoint exactly the offender. (It is the ber marshalling/unmarshalling indeed). Simo. The attached patch fixes it for me. Simo. -- Simo Sorce * Red Hat, Inc * New York From 1b69d2248c19e82b811ff80d5fe39b6012c0ea52 Mon Sep 17 00:00:00 2001 From: Simo Sorce s...@redhat.com Date: Thu, 26 Jun 2014 11:43:47 -0400 Subject: [PATCH] Fix getkeytab code to always use implicit tagging. A mixture of implicit and explicit tagging was being used and this caused a bug in retrieving the enctype number due to the way ber_scanf() loosely treat sequences and explicit tagging. The ASN.1 notation used to describe the getkeytab operation uses implicit tagging, so by changing the code we simply follow to the specified encoding. Resolves: https://fedorahosted.org/freeipa/ticket/4404 Signed-off-by: Simo Sorce s...@redhat.com --- daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 8 ipa-client/ipa-getkeytab.c | 8 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 90a92f1eff054e0667323e5cf6222bc40436cf9e..b0cdea315913dbfdce3dead7a2054b6fa917a9ae 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -1328,7 +1328,7 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold, } /* ber parse code */ -ttag = ber_scanf(ber, {t[a], ctag, svcname); +ttag = ber_scanf(ber, {ta, ctag, svcname); if (ttag == LBER_ERROR || ctag != GKREQ_SVCNAME_TAG) { LOG_FATAL(ber_scanf failed to decode service name\n); err_msg = Invalid payload.\n; @@ -1378,7
Re: [Freeipa-devel] Design Review Keytab Retrieval
On Thu, 2014-06-26 at 10:37 +0200, Martin Kosek wrote: On 06/26/2014 04:29 AM, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 17:24 -0400, Nathaniel McCallum wrote: On Mon, 2014-06-23 at 14:35 -0400, Simo Sorce wrote: - Original Message - - Original Message - Can you check if ipaProtectedOperation is in the aci attribute in the base tree object ? It should be there as excluded, and that should cause admin to not be able to retrieve keytabs. It was not. While running ipa-ldap-updater I got the following: InvalidSyntax: ACL Syntax Error(-5):(targetattr= \22ipaProtectedOperation;write_keys\22)(version 3.0; acl \22Admins are allowed to rekey any entity\22; allow(write) groupdn = \22ldap:///cn=admins: Invalid syntax. Uhmm I do not see anything obviously wrong with ACI instruction, it looks just like the one I replace, Ideas ? Do you have ipaProtectedOperation in the schema ? (I rebased patch 3 but will wait to send a patchset until we understand (and fix) why this is failing to update. Ok, apparently it was a quoting issue in the .update files, hopefully that's the only issue (I am at a conference today and do not have my test env. handy). The attached patches are rebased on the latest master. 0001: Line 555 has very wrong indentation. I don't see anything else wrong in the other patches. I've tested everything and it works as designed. I have CC'd everyone who was involved with review at any point on these patches. This serves as my public notice that I'd like to ACK the next round of patches. If anyone has anything else to add, please do it before tomorrow evening. Thanks! Nathaniel ACK Nathaniel Pushed all 6 patches to master. Thanks for careful review! Not sure what happened but the indentation issue I sent a patch for was not fixed in the final push and instead of a tab now there are 4 spaces: Attached find patch that fixes the issue as seen in master. Simo. -- Simo Sorce * Red Hat, Inc * New York From dc0a99c688e697daefeca36d6773aa2b402ee715 Mon Sep 17 00:00:00 2001 From: Simo Sorce s...@redhat.com Date: Thu, 26 Jun 2014 13:49:33 -0400 Subject: [PATCH] Fix incorrect indentation --- daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index b0cdea315913dbfdce3dead7a2054b6fa917a9ae..ca021cac71da690a498fe3003fae1babb30456c1 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -1073,7 +1073,7 @@ static int encode_setkeytab_reply(struct ipapwd_keyset *kset, for (int i = 0; i kset-num_keys; i++) { rc = ber_printf(ber, {i}, (ber_int_t)kset-keys[i].key_data_type[0]); -if (rc == -1) { +if (rc == -1) { rc = LDAP_OPERATIONS_ERROR; LOG_FATAL(Failed to ber_printf the enctype); goto done; -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Jan Cholasta wrote: On 16.6.2014 15:35, Jan Cholasta wrote: Hi, the attached patches implement https://fedorahosted.org/freeipa/ticket/3737. My patches 241-253 and 262-294 are required for this (http://www.redhat.com/archives/freeipa-devel/2014-June/msg00276.html, http://www.redhat.com/archives/freeipa-devel/2014-June/msg00307.html). The installation/testing guidelines from http://www.redhat.com/archives/freeipa-devel/2014-March/msg00385.html apply here as well. Honza Rebased on top of current master. 295 ACK 296, 297 299 TBD, need to test but no problems seen so far. 298 The man page, if not usage, should include what the valid trust flags are or point to NSS documentation. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 241-253 CA certificate renewal
Jan Cholasta wrote: On 12.6.2014 09:49, Jan Cholasta wrote: On 20.5.2014 21:38, Rob Crittenden wrote: Jan Cholasta wrote: On 25.4.2014 10:51, Jan Cholasta wrote: On 24.4.2014 23:16, Rob Crittenden wrote: Jan Cholasta wrote: On 10.4.2014 22:06, Rob Crittenden wrote: Some in-line, a whole ton of data appended to end. Jan Cholasta wrote: On 7.4.2014 20:09, Rob Crittenden wrote: Rob Crittenden wrote: 247 We've been burned by hardcoded timeouts in the past. Should this be configurable? This module doesn't currently do any logging but it might be worth spitting out a waiting message, at least for debugging. Added a timeout argument. Did you forget to send this one, I didn't see an update to 247. Are you sure you have 247.1 (now 247.2)? I can see at http://www.redhat.com/archives/freeipa-devel/2014-April/msg00225.html that I have sent the correct version of the patches. The call has a timeout, the callers don't use it. I guess it'll do for now, but these almost always come back to bite us. Well, I can add --certmonger-timeout option to ipa-cacert-manage, if that's what you want. 251 The tool should provide some feedback while it's running. For the impatient (me) it takes a really long time and it's hard to know what is going on, something in between nothing and full debug output. Added some messages about what's going on. I dpn't see an update to 251 either. Please make sure you have 251.1 (now 251.2). There is a little bit more output but there are still very long periods of waiting between any visual activity, particularly when doing it on an IPA self-signed CA. This stuff takes time :-) What would you like to see in the output, that's not already there? I think the ipa-cacert-manage man page is missing one really important piece: why would you ever need to run this? And when? Added a paragraph about this. It's better, couple of comments: Add the in between renew and CA in used to manually renew CA certificate of and When IPA CA OK. I haven't had any luck renewing the CA certificate yet. I see that it is tracked now. I started moving the system clock forward in order to get to renewal and about the 3rd iteration the requests started failing with an XML error. Did you see this? [Thu Apr 21 11:08:49.929486 2016] [:error] [pid 11692] Traceback (most recent call last): [Thu Apr 21 11:08:49.929489 2016] [:error] [pid 11692] File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 344, in wsgi_execute [Thu Apr 21 11:08:49.929493 2016] [:error] [pid 11692] result = self.Command[name](*args, **options) [Thu Apr 21 11:08:49.929496 2016] [:error] [pid 11692] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 436, in __call__ [Thu Apr 21 11:08:49.929499 2016] [:error] [pid 11692] ret = self.run(*args, **options) [Thu Apr 21 11:08:49.929503 2016] [:error] [pid 11692] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 752, in run [Thu Apr 21 11:08:49.929506 2016] [:error] [pid 11692] result = self.execute(*args, **options) [Thu Apr 21 11:08:49.929509 2016] [:error] [pid 11692] File /usr/lib/python2.7/site-packages/ipalib/plugins/cert.py, line 382, in execute [Thu Apr 21 11:08:49.929512 2016] [:error] [pid 11692] result = api.Command['cert_show'](unicode(serial))['result'] [Thu Apr 21 11:08:49.929516 2016] [:error] [pid 11692] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 436, in __call__ [Thu Apr 21 11:08:49.929519 2016] [:error] [pid 11692] ret = self.run(*args, **options) [Thu Apr 21 11:08:49.930559 2016] [:error] [pid 11692] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 752, in run [Thu Apr 21 11:08:49.930567 2016] [:error] [pid 11692] result = self.execute(*args, **options) [Thu Apr 21 11:08:49.930570 2016] [:error] [pid 11692] File /usr/lib/python2.7/site-packages/ipalib/plugins/cert.py, line 514, in execute [Thu Apr 21 11:08:49.930573 2016] [:error] [pid 11692] result=self.Backend.ra.get_certificate(serial_number) [Thu Apr 21 11:08:49.930577 2016] [:error] [pid 11692] File /usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py, line 1502, in get_certificate [Thu Apr 21 11:08:49.930580 2016] [:error] [pid 11692] parse_result = self.get_parse_result_xml(http_body, parse_display_cert_xml) [Thu Apr 21 11:08:49.930591 2016] [:error] [pid 11692] File /usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py, line 1363, in get_parse_result_xml [Thu Apr 21 11:08:49.930594 2016] [:error] [pid 11692] doc = etree.fromstring(xml_text, parser) [Thu Apr 21 11:08:49.930598 2016] [:error] [pid 11692] File lxml.etree.pyx, line 3032, in lxml.etree.fromstring (src/lxml/lxml.etree.c:68129) [Thu Apr 21 11:08:49.930601 2016] [:error] [pid 11692] File parser.pxi, line 1785, in lxml.etree._parseMemoryDocument (src/lxml/lxml.etree.c:102493) [Thu Apr 21 11:08:49.930604
Re: [Freeipa-devel] [PATCH] 678-679 webui: send API version in RPC requests and adapt to new response format
On 6/25/2014 8:51 AM, Petr Vobornik wrote: ticket: https://fedorahosted.org/freeipa/ticket/4394 == [PATCH] 678 webui: send API version in RPC requests == Currently there is an incorrect behavior that server doesn't send datetime and dnsname data in new format. This patch adds the version to each RPC request making the UI look as the latest client. Server then sends data in correct format. It also removes the unknown version warning from each RPC response. == [PATCH] 679 webui: extract rpc value from object envelope == adapt Web UI to a newer style of encapsulation object data ACK. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 670-675 webui: dns forward zones
On 6/24/2014 9:39 AM, Petr Vobornik wrote: On 24.6.2014 13:02, Petr Vobornik wrote: ticket: https://fedorahosted.org/freeipa/ticket/4357 - patch 673 is compressed - CI patches functionally depends on #667, #668 == PATCH] 670 webui: add confirmation for dns zone permission actions == All header actions should require confirmation. == [PATCH] 671 webui: dns forward zones == Add DNS Forward Zones Web UI. - pages under: Identity/DNS/DNS Forward Zones == [PATCH] 672 webui-ci: dns forward zone tests == Selenium CI sanity tests for DNS Forward Zones == [PATCH] 673 webui-test: static metadata update == Regular update of static metadata for testing and presentation purposes. It should also contain new DNS Forward Zones metadata. == [PATCH] 674 webui-test: dns forward zone json data == Fake API results for testing and presentation purposes of DNS Forward Zones. == [PATCH] 675 webui: fix detection of RPC command == old detection did not work with the static version used for test and demonstration purposes. Attaching an updated version of #675 with a fix for unit tests. ACK. Some comments below. Btw I'm not very satisfied with patch #675's approach. I'm open to suggestions for better approaches. How about adding another parameter to get_record() to indicate the type of the data? Possible improvements: 1. In the Add DNS Forward Zone dialog, if the Zone forwarders is empty and you click Add, there is no error message. 2. In the same dialog, by default there probably should be an empty field to enter the Zone forwarders because it's required. The admin can click Add to add additional forwarders. 3. The permission name is only displayed briefly after creation. It would be nice to display the permission name or a link to it in the details page. 4. Unrelated. Should undo and undo all be capitalized? They seem to be inconsistent with other buttons. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel