[Freeipa-devel] Announcing FreeIPA 4.2.0
The FreeIPA team is proud to announce FreeIPA v4.2.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/. This announcement with additional ticket and design page links is available at http://www.freeipa.org/page/Releases/4.2.0. == Highlights in 4.2 == === Enhancements === * Support for multiple certificate profiles, including support for user certificates. The profiles are now replicated between FreeIPA server to have consistent state for all certificate creation request. The certificate submission requests are authorized by the new CA ACL rules * Support One-Way Trust to Active Directory * User life-cycle management management - add inactive stage users using UI or LDAP interface and have them moved to active users by single command. Deleted users can now be also moved - 'preserved' - to special tree and re-activated when user returns, preserving it's UID/GID * Support for Password Vault (KRA) component of PKI for storing user or service secrets. All encrypted with public key cryptography so that even FreeIPA server does not know the secrets! * Datepicker is now used for datetime fields in the Web UI * Upgrade process was overhauled. There is now single upgrade tool ('ipa-server-upgrade') providing simplified interface for upgrading the FreeIPA server. See details in separate subsection. * Service constrained delegation rules can be now added by UI and CLI * FreeIPA Web UI now provides API browser and documentation. See 'IPA Server' - 'API Browser' tab * Access control instructions were updated so that hosts can create their own services * FreeIPA server now offers Kerberos over HTTP (kdcproxy) as a service * FreeIPA Web Server no longer use deprecated 'mod_auth_kerb' but switched to the modern 'mod_auth_gssapi' * New automated migration tool from winsync to 'ID Views' * 'migrate-ds' command can now search the migrated users and groups with different scope * DNSSEC integration was improved and FreeIPA server is configured to do DNSSEC validation by default. This might potentially affect installations which did not follow Deployment_Recommendations#DNS|Deployment Recommendations for DNS. * 'ipa migrate-ds' command can now run with different search scopes * And many other small improvements or bug fixes! === Changes to upgrade === The server still upgrades automatically during RPM update. However, 'ipactl start' now verifies that the server was really upgraded before starting FreeIPA to prevent running upgraded bits on old data when 'ipa-server-upgrade' was not run during RPM update (for example during FedUp Fedora upgrade). Update files (files in '/usr/share/ipa/updates/') format was changed. Namely: * Updates are not merged, update files are applied one at a time * Update entries no longer support CSV - commas can be now freely used in the added attributes * Update can now use base64 values * Update plugins are now not run automatically, but when referenced from update files ('plugin: plugin name') == Upgrading == Upgrade instructions are available on the Upgrade page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 4.1 == === Ade Lee (3) === * Add a KRA to IPA * Add man page for ipa-kra-install * Re-enable uninstall feature for ipa-kra-install === Ales 'alich' Marecek (1) === * Ipatests DNS SOA Record Maintenance === Alexander Bokovoy (21) === * Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides * Update slapi-nis dependency to pull 0.54.1 * AD trust: improve trust validation * Support Samba PASSDB 0.2.0 aka interface version 24 * ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly * ipa-kdb: when processing transitions, hand over unknown ones to KDC * ipa-kdb: reject principals from disabled domains as a KDC policy * fix Makefile.am for daemons * slapi-nis: require 0.54.2 for CVE-2015-0283 fixes * ipaserver/dcerpc: Ensure LSA pipe has session key before using it * ipa-kdb: use proper memory chunk size when moving sids * ipa-kdb: filter out group membership from MS-PAC for exact SID matches too * add one-way trust support to ipasam * ipa-adtrust-install: add IPA master host principal to adtrust agents * trusts: pass AD DC hostname if specified explicitly * ipa-sidgen: reduce log level to normal if domain SID is not available * ipa-adtrust-install: allow configuring of trust agents * trusts: add support for one-way trust and switch to it by default * ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab * trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs * trust: support retrieving POSIX IDs with one-way trust during trust-add ===
Re: [Freeipa-devel] [PATCH 0281] Validate adding a privilege to a permission
On 10/07/15 07:32, Jan Cholasta wrote: Hi, Dne 9.7.2015 v 16:55 Martin Basti napsal(a): https://fedorahosted.org/freeipa/ticket/5075 Patch attached. the check is very plugin-specific, so I don't think it should be in ipalib.util. You can keep it in privilege and import it from there in permission just fine. Honza Updated patch attached. -- Martin Basti From 46f47facdd6ecd0bd5f6bd5d3b1ed17c9776ff7a Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Thu, 9 Jul 2015 16:48:36 +0200 Subject: [PATCH] Validate adding privilege to a permission Adding priviledge to a permission via webUI allowed to avoid check and to add permission with improper type. https://fedorahosted.org/freeipa/ticket/5075 --- ipalib/plugins/permission.py | 7 ++ ipalib/plugins/privilege.py | 53 +++- 2 files changed, 35 insertions(+), 25 deletions(-) diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index f2e896935cc777801ec3a70262372f296b1ea2b8..e02828e9abfff453857a50ce9fc5b04fee523d27 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -21,6 +21,7 @@ import re import traceback from ipalib.plugins import baseldap +from ipalib.plugins.privilege import validate_permission_to_privilege from ipalib import errors from ipalib.parameters import Str, StrEnum, DNParam, Flag from ipalib import api, _, ngettext @@ -1377,6 +1378,12 @@ class permission_add_member(baseldap.LDAPAddMember): Add members to a permission. NO_CLI = True +def pre_callback(self, ldap, dn, member_dns, failed, *keys, **options): +# We can only add permissions with bind rule type set to +# permission (or old-style permissions) +validate_permission_to_privilege(self, ldap, keys[-1]) +return dn + @register() class permission_remove_member(baseldap.LDAPRemoveMember): diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py index 867544359f76fdcb44cd3015f7466a46ba492bec..ff9ccdef756d22a21455ee3920e4fe1a8e2df274 100644 --- a/ipalib/plugins/privilege.py +++ b/ipalib/plugins/privilege.py @@ -45,6 +45,33 @@ See role and permission for additional information. register = Registry() +def validate_permission_to_privilege(obj, ldap, permission): +ldapfilter = ldap.combine_filters(rules='', filters=[ +'(objectClass=ipaPermissionV2)', +'(!(ipaPermBindRuleType=permission))', +ldap.make_filter_from_attr('cn', permission, rules='|'), +]) +try: +entries, truncated = ldap.find_entries( +filter=ldapfilter, +attrs_list=['cn', 'ipapermbindruletype'], +base_dn=DN(obj.api.env.container_permission, + obj.api.env.basedn), +size_limit=1) +except errors.NotFound: +pass +else: +entry = entries[0] +message = _('cannot add permission %(perm)s with bindtype ' +'%(bindtype)s to a privilege') +raise errors.ValidationError( +name='permission', +error=message % { +'perm': entry.single_value['cn'], +'bindtype': entry.single_value.get( +'ipapermbindruletype', 'permission')}) + + @register() class privilege(LDAPObject): @@ -185,31 +212,7 @@ class privilege_add_permission(LDAPAddReverseMember): if options.get('permission'): # We can only add permissions with bind rule type set to # permission (or old-style permissions) -ldapfilter = ldap.combine_filters(rules='', filters=[ -'(objectClass=ipaPermissionV2)', -'(!(ipaPermBindRuleType=permission))', -ldap.make_filter_from_attr('cn', options['permission'], - rules='|'), -]) -try: -entries, truncated = ldap.find_entries( -filter=ldapfilter, -attrs_list=['cn', 'ipapermbindruletype'], -base_dn=DN(self.api.env.container_permission, - self.api.env.basedn), -size_limit=1) -except errors.NotFound: -pass -else: -entry = entries[0] -message = _('cannot add permission %(perm)s with bindtype ' -'%(bindtype)s to a privilege') -raise errors.ValidationError( -name='permission', -error=message % { -'perm': entry.single_value['cn'], -'bindtype': entry.single_value.get( -'ipapermbindruletype', 'permission')}) +
Re: [Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id
Dne 10.7.2015 v 10:43 Martin Basti napsal(a): On 10/07/15 07:29, Jan Cholasta wrote: Hi, Dne 9.7.2015 v 17:21 Martin Basti napsal(a): https://fedorahosted.org/freeipa/ticket/5074 Patch attached. NACK, you should remove the --rename option from certprofile-mod. You can do it by removing rdn_is_primary_key = True from certprofile. Honza Updated patch attached. What I meant was remove --rename *and* do the check from your previous patch. Anyway, I didn't realize we already released IPA with certprofile and removing --rename would be a backward incompatible change, so I think it's better to just keep it. So ACK on the original patch. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id
Dne 10.7.2015 v 10:59 Jan Cholasta napsal(a): Dne 10.7.2015 v 10:43 Martin Basti napsal(a): On 10/07/15 07:29, Jan Cholasta wrote: Hi, Dne 9.7.2015 v 17:21 Martin Basti napsal(a): https://fedorahosted.org/freeipa/ticket/5074 Patch attached. NACK, you should remove the --rename option from certprofile-mod. You can do it by removing rdn_is_primary_key = True from certprofile. Honza Updated patch attached. What I meant was remove --rename *and* do the check from your previous patch. Anyway, I didn't realize we already released IPA with certprofile and removing --rename would be a backward incompatible change, so I think it's better to just keep it. So ACK on the original patch. Pushed to master: 67b2b3408579814f7ff307cfd20bc4250edbea15 -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id
On Fri, 2015-07-10 at 11:01 +0200, Jan Cholasta wrote: Dne 10.7.2015 v 10:59 Jan Cholasta napsal(a): Dne 10.7.2015 v 10:43 Martin Basti napsal(a): On 10/07/15 07:29, Jan Cholasta wrote: Hi, Dne 9.7.2015 v 17:21 Martin Basti napsal(a): https://fedorahosted.org/freeipa/ticket/5074 Patch attached. NACK, you should remove the --rename option from certprofile-mod. You can do it by removing rdn_is_primary_key = True from certprofile. Honza Updated patch attached. What I meant was remove --rename *and* do the check from your previous patch. Anyway, I didn't realize we already released IPA with certprofile and removing --rename would be a backward incompatible change, so I think it's better to just keep it. So ACK on the original patch. Pushed to master: 67b2b3408579814f7ff307cfd20bc4250edbea15 I see no LDAP ACI that prevents a rename though, without that an admin can simply issue a modrdn operation. If it is critical for us to not allow renames we should rather have an ACI that prohibits them. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id
Dne 10.7.2015 v 11:10 Simo Sorce napsal(a): On Fri, 2015-07-10 at 11:01 +0200, Jan Cholasta wrote: Dne 10.7.2015 v 10:59 Jan Cholasta napsal(a): Dne 10.7.2015 v 10:43 Martin Basti napsal(a): On 10/07/15 07:29, Jan Cholasta wrote: Hi, Dne 9.7.2015 v 17:21 Martin Basti napsal(a): https://fedorahosted.org/freeipa/ticket/5074 Patch attached. NACK, you should remove the --rename option from certprofile-mod. You can do it by removing rdn_is_primary_key = True from certprofile. Honza Updated patch attached. What I meant was remove --rename *and* do the check from your previous patch. Anyway, I didn't realize we already released IPA with certprofile and removing --rename would be a backward incompatible change, so I think it's better to just keep it. So ACK on the original patch. Pushed to master: 67b2b3408579814f7ff307cfd20bc4250edbea15 I see no LDAP ACI that prevents a rename though, without that an admin can simply issue a modrdn operation. If it is critical for us to not allow renames we should rather have an ACI that prohibits them. AFAIK there is no ACI to prevent renaming hosts (the check in this patch is copied from the host plugin) or users either and so far nobody complained. I'm not saying this is right, but the patch is consistent with existing code. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [patch 0004] spec file: Update the package name from libipa_hbac-python to python-libipa_hbac
Name update + the renamed package breaks 'dnf builddep'. I will report the bug. Yum can take care of the conflict resolution. Patch attached. Milan From 3d79c32ffad3ab280b7d84507d402039b70fa8e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= mku...@redhat.com Date: Fri, 10 Jul 2015 11:59:24 +0200 Subject: [PATCH] spec file: update the package name from libipa_hbac-python to python-libipa_hbac --- freeipa.spec.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index e78ad1a0851186c7fdb5ab0a4649b64b2b1e010f..5310fc643b209c9ea895184f96836b1d958a6a01 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -75,7 +75,7 @@ BuildRequires: python-rhsm BuildRequires: pyOpenSSL BuildRequires: pylint = 1.0 BuildRequires: python-polib -BuildRequires: libipa_hbac-python +BuildRequires: python-libipa_hbac BuildRequires: python-memcached BuildRequires: sssd = 1.13.0 BuildRequires: python-lxml @@ -296,7 +296,7 @@ Requires: python-nss = 0.16 Requires: python-cryptography Requires: python-lxml Requires: python-netaddr -Requires: libipa_hbac-python +Requires: python-libipa_hbac Requires: python-qrcode-core = 5.0.0 Requires: python-pyasn1 Requires: python-dateutil -- 1.9.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0334] Hide topology and domainlevel features
On Wed, 2015-07-08 at 00:09 +0200, Tomas Babej wrote: On 07/07/2015 07:16 PM, Martin Basti wrote: On 07/07/15 10:33, Tomas Babej wrote: Hi, * Hide topology and domainlevel commands in the CLI * Hide topology and domainlevel in the WebUI * Set maximum allowed domain level to 0 * Do not configure and enable the topology plugin https://fedorahosted.org/freeipa/ticket/5097 ACK -- Martin Basti Pushed to master: 62e8002bc43ddd890c3db35a123cb7daf35e3121 Can we revert the Max Domain Level change in master ? It should have been changed only in the 4.2 branch! Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message
On 07/09/2015 01:49 PM, Veronika Kabatova wrote: The attached patch solves the https://fedorahosted.org/freeipa/ticket/3959 ticket. Veronika Kabatova Hello, thanks for the patch. Actually, the doctest does not pass: $ ipa-run-tests /usr/lib/python2.7/site-packages/ipalib/errors.py --doctest-modules = test session starts = platform linux2 -- Python 2.7.10 -- py-1.4.28 -- pytest-2.6.4 plugins: multihost, sourceorder collected 85 items ../ipalib/errors.py ...F..F.. == FAILURES === _ [doctest] ipalib.errors.DNSNotARecordError __ 1137 1138 **4019** Raised when a hostname is not a DNS A/ record 1139 1140 For example: 1141 1142 raise DNSNotARecordError() Differences (unified diff with -expected +actual): @@ -1,4 +1,6 @@ Traceback (most recent call last): - ... -DNSNotARecordError: Host does not have corresponding DNS A/ record, -use --force to continue anyway + File /usr/lib64/python2.7/doctest.py, line 1315, in __run +compileflags, 1) in test.globs + File doctest ipalib.errors.DNSNotARecordError[0], line 1, in module +raise DNSNotARecordError() +DNSNotARecordError: Host does not have corresponding DNS A/ record, use --force to continue anyway /usr/lib/python2.7/site-packages/ipalib/errors.py:1142: DocTestFailure The reason for the mismatch here is that you wrapped the line - in this case, we need to violate the PEP8, and allow the length of the line exceed 80 characters. HTH, Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [patch 0004] spec file: Update the package name from libipa_hbac-python to python-libipa_hbac
Hi, Dne 10.7.2015 v 12:05 Milan Kubik napsal(a): Name update + the renamed package breaks 'dnf builddep'. I will report the bug. Yum can take care of the conflict resolution. Patch attached. You might as well update libsss_nss_idmap-python to python-libsss_nss_idmap while you are at it. Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Time-Based Account Policies
On 07/10/2015 12:43 PM, Alexander Bokovoy wrote: On Fri, 10 Jul 2015, Stanislav Laznicka wrote: Hi, Long time no post from me, time to make it up to you. Welcome back! I have been working on the the implementation of the design of time policies for HBAC rules on FreeIPA and SSSD sides. Attached is the current state of the FreeIPA solution. My comments and notes to the solution follow. The FreeIPA side backend base for time policies in HBAC seems working to me but still needs formal testing. Also, there is no conversion from the iCal format as previously requested and I personally would postpone this feature until the time policies functionality is rock solid. There were some uncertainties in the design as well. I ran into 2 of these but more may come. The first thing is how to deal with weeks in a month. There are two possibilities. A week in month (as specified by the weekofmonth keyword in the time policies) may be understood as a period of time between two Sundays, so when a month starts on, say, Friday the 1st, weekofmonth=1 would specify days Friday, Saturday, Sunday and anything from that Sunday on would be a weekofmonth=2 and on. However, I think a week in a month may also be considered a period of time that equals 7 days of a month. In the previous example, a weekofmonth=1 would therefore also apply to the following days up until Friday the 8th, excluding this last day. Although I implemented the first case in the SSSD, I actually started thinking the second case scenario might be the right or better one. One thing you need to realize that there is no universal 'week starts on Sunday'. There are different ways of starting a week, some countries do it on Sunday, some -- on Saturday, some -- on Monday. This means you need to make possible to pull in a locale definition if you really want this functionality and then it also becomes quite fuzzy as there are legal definitions of what a week is (as well as a month and a work day). Yes, it could be more complicated, e.g. see Week Of Month in Java: week-of-month: The calculation ensures that weeks never overlap a month boundary. The month is divided into periods where each period starts on the defined first day-of-week. The earliest period is referred to as week 0 if it has less than the minimal number of days and week 1 if it has at least the minimal number of days. public int getMinimalDaysInFirstWeek(): Gets the minimal number of days in the first week. The number of days considered to define the first week of a month or year varies by culture. For example, the ISO-8601 requires 4 days (more than half a week) to be present before counting the first week. https://docs.oracle.com/javase/8/docs/api/java/time/temporal/WeekFields.html The other thing is which years should be allowed to be the input of the year keyword. Currently, I set the range for these values to 1970-2038 according to the Unix timestamp. I'm not sure if anyone would want to set it less than 1970, setting it for a higher value than 2038 might probably make sense in some very special cases, although I really can't think of a one. You certainly can set it more than 2038 (time doesn't stop there). What you are limited with is Kerberos 32-bit time stamp, not HBAC policy time definition. I would say we better set to 64-bit ourselves and handle irregularities in SSSD. Yes, we should talk. Some comments from looking on patch 0004: 1. list of time zones should be moved to a module property so that it can be reused else where if needed. Other possibility is to get this list from backend, e.g. on Web UI load or something. 2. please don't do any changes to patternfly.js. It's updated only when bundled PatternFly is updated. Long term goal is to get it out of FreeIPA git. All IPA css changes should be done in install/ui/less/*less files - as you did in widgets.less. From these .less files an install/ui/css/ipa.css file is created. Note that there is also install/ui/ipa.css which contains most of the ipa specific styles. It's planned to move these styles to .less files as well. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id
On Fri, 2015-07-10 at 11:28 +0200, Jan Cholasta wrote: Dne 10.7.2015 v 11:10 Simo Sorce napsal(a): On Fri, 2015-07-10 at 11:01 +0200, Jan Cholasta wrote: Dne 10.7.2015 v 10:59 Jan Cholasta napsal(a): Dne 10.7.2015 v 10:43 Martin Basti napsal(a): On 10/07/15 07:29, Jan Cholasta wrote: Hi, Dne 9.7.2015 v 17:21 Martin Basti napsal(a): https://fedorahosted.org/freeipa/ticket/5074 Patch attached. NACK, you should remove the --rename option from certprofile-mod. You can do it by removing rdn_is_primary_key = True from certprofile. Honza Updated patch attached. What I meant was remove --rename *and* do the check from your previous patch. Anyway, I didn't realize we already released IPA with certprofile and removing --rename would be a backward incompatible change, so I think it's better to just keep it. So ACK on the original patch. Pushed to master: 67b2b3408579814f7ff307cfd20bc4250edbea15 I see no LDAP ACI that prevents a rename though, without that an admin can simply issue a modrdn operation. If it is critical for us to not allow renames we should rather have an ACI that prohibits them. AFAIK there is no ACI to prevent renaming hosts (the check in this patch is copied from the host plugin) or users either and so far nobody complained. I'm not saying this is right, but the patch is consistent with existing code. Renaming users is explicitly allowed, renaming hosts is something we may want to prevent too. Maybe we should add a ticket to take care of these things ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Time-Based Account Policies
On 07/10/2015 01:10 PM, Petr Vobornik wrote: On 07/10/2015 12:43 PM, Alexander Bokovoy wrote: On Fri, 10 Jul 2015, Stanislav Laznicka wrote: Hi, Long time no post from me, time to make it up to you. Welcome back! I have been working on the the implementation of the design of time policies for HBAC rules on FreeIPA and SSSD sides. Attached is the current state of the FreeIPA solution. My comments and notes to the solution follow. The FreeIPA side backend base for time policies in HBAC seems working to me but still needs formal testing. Also, there is no conversion from the iCal format as previously requested and I personally would postpone this feature until the time policies functionality is rock solid. There were some uncertainties in the design as well. I ran into 2 of these but more may come. The first thing is how to deal with weeks in a month. There are two possibilities. A week in month (as specified by the weekofmonth keyword in the time policies) may be understood as a period of time between two Sundays, so when a month starts on, say, Friday the 1st, weekofmonth=1 would specify days Friday, Saturday, Sunday and anything from that Sunday on would be a weekofmonth=2 and on. However, I think a week in a month may also be considered a period of time that equals 7 days of a month. In the previous example, a weekofmonth=1 would therefore also apply to the following days up until Friday the 8th, excluding this last day. Although I implemented the first case in the SSSD, I actually started thinking the second case scenario might be the right or better one. One thing you need to realize that there is no universal 'week starts on Sunday'. There are different ways of starting a week, some countries do it on Sunday, some -- on Saturday, some -- on Monday. This means you need to make possible to pull in a locale definition if you really want this functionality and then it also becomes quite fuzzy as there are legal definitions of what a week is (as well as a month and a work day). Yes, it could be more complicated, e.g. see Week Of Month in Java: week-of-month: The calculation ensures that weeks never overlap a month boundary. The month is divided into periods where each period starts on the defined first day-of-week. The earliest period is referred to as week 0 if it has less than the minimal number of days and week 1 if it has at least the minimal number of days. public int getMinimalDaysInFirstWeek(): Gets the minimal number of days in the first week. The number of days considered to define the first week of a month or year varies by culture. For example, the ISO-8601 requires 4 days (more than half a week) to be present before counting the first week. https://docs.oracle.com/javase/8/docs/api/java/time/temporal/WeekFields.html That is a pretty good example of what a week is, thanks. I don't think I would want the functionality of having weeks begin with different weekdays according to locale. I would rather stick to the ISO 8601 as described in the link Petr sent. I was rather wondering whether weekofmonth should mean the x-th appearance of a day in a month or an appearance of this day in x-th week of the month. However, the definition above is quite strong and I think I could live with a week starting only on Monday and having 0-th weeks in month. The other thing is which years should be allowed to be the input of the year keyword. Currently, I set the range for these values to 1970-2038 according to the Unix timestamp. I'm not sure if anyone would want to set it less than 1970, setting it for a higher value than 2038 might probably make sense in some very special cases, although I really can't think of a one. You certainly can set it more than 2038 (time doesn't stop there). What you are limited with is Kerberos 32-bit time stamp, not HBAC policy time definition. I would say we better set to 64-bit ourselves and handle irregularities in SSSD. Yes, we should talk. Some comments from looking on patch 0004: 1. list of time zones should be moved to a module property so that it can be reused else where if needed. Other possibility is to get this list from backend, e.g. on Web UI load or something. 2. please don't do any changes to patternfly.js. It's updated only when bundled PatternFly is updated. Long term goal is to get it out of FreeIPA git. All IPA css changes should be done in install/ui/less/*less files - as you did in widgets.less. From these .less files an install/ui/css/ipa.css file is created. Note that there is also install/ui/ipa.css which contains most of the ipa specific styles. It's planned to move these styles to .less files as well. I put those 2 last commits together, the only difference there was that once the styles were set correctly (0005) and incorrectly in the previous patch (0004). Attaching the last commit, also hopefully with correct formatting as pointed out by Martin Basti. I should add the list of time zones to a
Re: [Freeipa-devel] [PATCH 0334] Hide topology and domainlevel features
On 07/10/2015 03:07 PM, Simo Sorce wrote: On Wed, 2015-07-08 at 00:09 +0200, Tomas Babej wrote: On 07/07/2015 07:16 PM, Martin Basti wrote: On 07/07/15 10:33, Tomas Babej wrote: Hi, * Hide topology and domainlevel commands in the CLI * Hide topology and domainlevel in the WebUI * Set maximum allowed domain level to 0 * Do not configure and enable the topology plugin https://fedorahosted.org/freeipa/ticket/5097 ACK -- Martin Basti Pushed to master: 62e8002bc43ddd890c3db35a123cb7daf35e3121 Can we revert the Max Domain Level change in master ? It should have been changed only in the 4.2 branch! Simo. This was pushed prior to the branching of the ipa-4-2 branch. I will prepare a patch. Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Time-Based Account Policies
On Fri, 10 Jul 2015, Stanislav Laznicka wrote: Hi, Long time no post from me, time to make it up to you. Welcome back! I have been working on the the implementation of the design of time policies for HBAC rules on FreeIPA and SSSD sides. Attached is the current state of the FreeIPA solution. My comments and notes to the solution follow. The FreeIPA side backend base for time policies in HBAC seems working to me but still needs formal testing. Also, there is no conversion from the iCal format as previously requested and I personally would postpone this feature until the time policies functionality is rock solid. There were some uncertainties in the design as well. I ran into 2 of these but more may come. The first thing is how to deal with weeks in a month. There are two possibilities. A week in month (as specified by the weekofmonth keyword in the time policies) may be understood as a period of time between two Sundays, so when a month starts on, say, Friday the 1st, weekofmonth=1 would specify days Friday, Saturday, Sunday and anything from that Sunday on would be a weekofmonth=2 and on. However, I think a week in a month may also be considered a period of time that equals 7 days of a month. In the previous example, a weekofmonth=1 would therefore also apply to the following days up until Friday the 8th, excluding this last day. Although I implemented the first case in the SSSD, I actually started thinking the second case scenario might be the right or better one. One thing you need to realize that there is no universal 'week starts on Sunday'. There are different ways of starting a week, some countries do it on Sunday, some -- on Saturday, some -- on Monday. This means you need to make possible to pull in a locale definition if you really want this functionality and then it also becomes quite fuzzy as there are legal definitions of what a week is (as well as a month and a work day). The other thing is which years should be allowed to be the input of the year keyword. Currently, I set the range for these values to 1970-2038 according to the Unix timestamp. I'm not sure if anyone would want to set it less than 1970, setting it for a higher value than 2038 might probably make sense in some very special cases, although I really can't think of a one. You certainly can set it more than 2038 (time doesn't stop there). What you are limited with is Kerberos 32-bit time stamp, not HBAC policy time definition. I would say we better set to 64-bit ourselves and handle irregularities in SSSD. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [patch 0004] spec file: Update the package name from libipa_hbac-python to python-libipa_hbac
On 07/10/2015 12:55 PM, Jan Cholasta wrote: Hi, Dne 10.7.2015 v 12:05 Milan Kubik napsal(a): Name update + the renamed package breaks 'dnf builddep'. I will report the bug. Yum can take care of the conflict resolution. Patch attached. You might as well update libsss_nss_idmap-python to python-libsss_nss_idmap while you are at it. Honza Hi, new patch is here :) Self-NACK on 0004. From 3067b69c1b5b11ba7ee6ae34d8efcf97219e1d7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= mku...@redhat.com Date: Fri, 10 Jul 2015 11:59:24 +0200 Subject: [PATCH] spec file: update the python package names for libipa_hbac and libsss_nss_idmap --- freeipa.spec.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index e78ad1a0851186c7fdb5ab0a4649b64b2b1e010f..e9f97c3d68898c63a299408b93a6330e65f35d0e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -75,7 +75,7 @@ BuildRequires: python-rhsm BuildRequires: pyOpenSSL BuildRequires: pylint = 1.0 BuildRequires: python-polib -BuildRequires: libipa_hbac-python +BuildRequires: python-libipa_hbac BuildRequires: python-memcached BuildRequires: sssd = 1.13.0 BuildRequires: python-lxml @@ -204,7 +204,7 @@ Requires: samba-python Requires: samba = %{samba_version} Requires: samba-winbind Requires: libsss_idmap -Requires: libsss_nss_idmap-python +Requires: python-libsss_nss_idmap Requires: oddjob Requires: python-sss # We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5 @@ -296,7 +296,7 @@ Requires: python-nss = 0.16 Requires: python-cryptography Requires: python-lxml Requires: python-netaddr -Requires: libipa_hbac-python +Requires: python-libipa_hbac Requires: python-qrcode-core = 5.0.0 Requires: python-pyasn1 Requires: python-dateutil -- 1.9.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [patch 0006] ipalib: pass api instance into textui in doctest snippets
Hi, the recent set of patches that modified api broke the tests that are included in ipalib/cli.py This patch fixes the problems by passing api instance to textui() calls. Milan From 5df216ad49c6787a6e170a483c545d0fdcc99828 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= mku...@redhat.com Date: Fri, 10 Jul 2015 11:56:02 +0200 Subject: [PATCH] ipalib: pass api instance into textui in doctest snippets --- ipalib/cli.py | 25 + 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/ipalib/cli.py b/ipalib/cli.py index b260ca65172dab7ba56a23b78c086f49f5c18f70..4104e6482e4e713d701c6c1a4313ab6ecc899057 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -50,6 +50,7 @@ from errors import (PublicError, CommandError, HelpError, InternalError, from constants import CLI_TAB, LDAP_GENERALIZED_TIME_FORMAT from parameters import File, Str, Enum, Any, Flag from text import _ +from ipalib import api from ipapython.version import API_VERSION from ipapython.dnsutil import DNSName @@ -100,7 +101,7 @@ class textui(backend.Backend): For example: - ui = textui() + ui = textui(api) rows = [ ... ('a', 'package'), ... ('an', 'egg'), @@ -178,7 +179,7 @@ class textui(backend.Backend): For example: - ui = textui() + ui = textui(api) ui.print_line('This line can fit!', width=18) This line can fit! ui.print_line('This line wont quite fit!', width=18) @@ -204,7 +205,7 @@ class textui(backend.Backend): ... Python is a dynamic object-oriented programming language that can ... be used for many kinds of software development. ... ''' - ui = textui() + ui = textui(api) ui.print_paragraph(text, width=45) Python is a dynamic object-oriented programming language that can be used for @@ -229,7 +230,7 @@ class textui(backend.Backend): For example: - ui = textui() + ui = textui(api) ui.print_indented('One indentation level.') One indentation level. ui.print_indented('Two indentation levels.', indent=2) @@ -249,7 +250,7 @@ class textui(backend.Backend): ... ('in_server', True), ... ('mode', u'production'), ... ] - ui = textui() + ui = textui(api) ui.print_keyval(items) in_server = True mode = u'production' @@ -269,7 +270,7 @@ class textui(backend.Backend): For example: attr = 'dn' - ui = textui() + ui = textui(api) ui.print_attribute(attr, u'dc=example,dc=com') dn: dc=example,dc=com attr = 'objectClass' @@ -407,7 +408,7 @@ class textui(backend.Backend): For example: - ui = textui() + ui = textui(api) ui.print_dashed('Dashed above and below.') --- Dashed above and below. @@ -434,7 +435,7 @@ class textui(backend.Backend): For example: - ui = textui() + ui = textui(api) ui.print_h1('A primary header') A primary header @@ -448,7 +449,7 @@ class textui(backend.Backend): For example: - ui = textui() + ui = textui(api) ui.print_h2('A secondary header') -- A secondary header @@ -464,7 +465,7 @@ class textui(backend.Backend): command. For example, a hypothetical ``show_status`` command would output something like this: - ui = textui() + ui = textui(api) ui.print_name('show_status') show-status: @@ -481,7 +482,7 @@ class textui(backend.Backend): For example: - ui = textui() + ui = textui(api) ui.print_summary('Added user jdoe') - Added user jdoe @@ -500,7 +501,7 @@ class textui(backend.Backend): For example: - ui = textui() + ui = textui(api) ui.print_count(1, '%d goose', '%d geese') --- 1 goose -- 1.9.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [patch 0006] ipalib: pass api instance into textui in doctest snippets
On 07/10/2015 01:57 PM, Milan Kubik wrote: Hi, the recent set of patches that modified api broke the tests that are included in ipalib/cli.py This patch fixes the problems by passing api instance to textui() calls. Milan This may not be the complete solution. Similar problems arise in the rest of the tests in ipalib modules. I guess the code examples (doctest test cases) are all affected by the changes to the api object. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0283] copy-schema-to-ca: allow to overwrite schema files
https://fedorahosted.org/freeipa/ticket/5034 Patch attached. -- Martin Basti From d77e41e76c333e504600109d4d9fdd41809bfe8b Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Fri, 10 Jul 2015 14:17:02 +0200 Subject: [PATCH] copy-schema-to-ca: allow to overwrite schema files If content of source and target file differs, the script will ask user for permission to overwrite target file. https://fedorahosted.org/freeipa/ticket/5034 --- install/share/copy-schema-to-ca.py | 29 ++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py index 1614e11636c2f52e231ea2ff40d882209194c60a..ff6c3568586f9f4b3fac7f848869e74d0db0df34 100755 --- a/install/share/copy-schema-to-ca.py +++ b/install/share/copy-schema-to-ca.py @@ -15,6 +15,8 @@ import sys import pwd import shutil +from hashlib import sha1 + from ipapython import ipautil, dogtag from ipapython.ipa_log_manager import root_logger, standard_logging_setup from ipaserver.install.dsinstance import DS_USER, schema_dirname @@ -42,6 +44,11 @@ SCHEMA_FILENAMES = ( ) +def _sha1_file(filename): +with open(filename, 'rb') as f: +return sha1(f.read()).hexdigest() + + def add_ca_schema(): Copy IPA schema files into the CA DS instance @@ -54,9 +61,25 @@ def add_ca_schema(): root_logger.debug('File does not exist: %s', source_fname) continue if os.path.exists(target_fname): -root_logger.info( -'Target exists, not overwriting: %s', target_fname) -continue +target_sha1 = _sha1_file(target_fname) +source_sha1 = _sha1_file(source_fname) +if target_sha1 != source_sha1: +target_size = os.stat(target_fname).st_size +source_size = os.stat(source_fname).st_size +root_logger.info('Target file %s exists but the content is ' + 'different', target_fname) +root_logger.info('\tTarget file: sha1: %s, size: %s B', + target_sha1, target_size) +root_logger.info('\tSource file: sha1: %s, size: %s B', + source_sha1, source_size) +if not ipautil.user_input(Do you want replace %s file? % + target_fname, True): +continue + +else: +root_logger.info( +'Target exists, not overwriting: %s', target_fname) +continue try: shutil.copyfile(source_fname, target_fname) except IOError, e: -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0284] stageuser-activate: show user name in error message instead of DN
https://fedorahosted.org/freeipa/ticket/5038 I reworded the error message to keep the same format as stageuser-add and user-add. Patch attached. -- Martin Basti From 108b44354e049b4a1de009e144e2b645656bfc0e Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Fri, 10 Jul 2015 14:47:59 +0200 Subject: [PATCH] Stageusedr-activate: show username instead of DN If activate user already exists, show name of this user in error message instead of user DN. Error message reworder to keep the same format as stageuser-add, user-add. https://fedorahosted.org/freeipa/ticket/5038 --- ipalib/plugins/stageuser.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/stageuser.py b/ipalib/plugins/stageuser.py index 35e636ded4474b00ad635c60340aaf66e6b41752..6cbc8f4ab07f2c1172f2b2c45bfe8f30a74938b3 100644 --- a/ipalib/plugins/stageuser.py +++ b/ipalib/plugins/stageuser.py @@ -682,8 +682,9 @@ class stageuser_activate(LDAPQuery): active_dn, ['dn'] ) assert isinstance(staging_dn, DN) -raise errors.DuplicateEntry(message=_('Active user %(user)s already exists') % dict( -user=test_entry_attrs.dn)) +raise errors.DuplicateEntry( +message=_('active user with name %(user)s already exists') % +dict(user=args[-1])) except errors.NotFound: pass -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [patch 0006] ipalib: pass api instance into textui in doctest snippets
On 07/10/2015 02:15 PM, Milan Kubik wrote: On 07/10/2015 01:57 PM, Milan Kubik wrote: Hi, the recent set of patches that modified api broke the tests that are included in ipalib/cli.py This patch fixes the problems by passing api instance to textui() calls. Milan This may not be the complete solution. Similar problems arise in the rest of the tests in ipalib modules. I guess the code examples (doctest test cases) are all affected by the changes to the api object. ACK for this patch. Pushed to: master: 61f41df9493acfbfd1cda017b40cf6786afd8815 ipa-4-2: c210b3d2843326e5bc934d397831d4d128c1b603 As far as the other modules go, I see most failures in the frontend: ../ipalib/__init__.py F ../ipalib/base.py . ../ipalib/cli.py ../ipalib/config.py . ../ipalib/crud.py F ../ipalib/errors.py . ../ipalib/frontend.py .FFF ../ipalib/messages.py . ../ipalib/output.py . ../ipalib/parameters.py ... ../ipalib/text.py .. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Time-Based Account Policies
On 07/10/2015 01:12 PM, Matúš Honěk wrote: On 07/10/2015 12:43 PM, Alexander Bokovoy wrote: On Fri, 10 Jul 2015, Stanislav Laznicka wrote: Hi, Long time no post from me, time to make it up to you. Welcome back! I have been working on the the implementation of the design of time policies for HBAC rules on FreeIPA and SSSD sides. Attached is the current state of the FreeIPA solution. My comments and notes to the solution follow. The FreeIPA side backend base for time policies in HBAC seems working to me but still needs formal testing. Also, there is no conversion from the iCal format as previously requested and I personally would postpone this feature until the time policies functionality is rock solid. There were some uncertainties in the design as well. I ran into 2 of these but more may come. The first thing is how to deal with weeks in a month. There are two possibilities. A week in month (as specified by the weekofmonth keyword in the time policies) may be understood as a period of time between two Sundays, so when a month starts on, say, Friday the 1st, weekofmonth=1 would specify days Friday, Saturday, Sunday and anything from that Sunday on would be a weekofmonth=2 and on. However, I think a week in a month may also be considered a period of time that equals 7 days of a month. In the previous example, a weekofmonth=1 would therefore also apply to the following days up until Friday the 8th, excluding this last day. Although I implemented the first case in the SSSD, I actually started thinking the second case scenario might be the right or better one. One thing you need to realize that there is no universal 'week starts on Sunday'. There are different ways of starting a week, some countries do it on Sunday, some -- on Saturday, some -- on Monday. This means you need to make possible to pull in a locale definition if you really want this functionality and then it also becomes quite fuzzy as there are legal definitions of what a week is (as well as a month and a work day). I would definitely go with using the locales for deciding (same for weeks of year, etc.). With addition to that I would, personally, also make it clear to see the exact description of the policy currently in use, on the WebUI and CLI (if it is possible, of course). Maybe it is just me but I have no idea how to decide when is the first week of a month, even in my locale. (if it is already there then act as if I have said nothing) I am not sure about using locales to decide on which day should start a week. It seems better to stick to only one certain day to avoid confusion. I don't think it would be possible to have a note that says that this certain time policy applies at this certain time. It would be hard when only different time zones and UTC are taken into account, but the possibility to make time policy whose time zone is dependent purely on host's local time zone makes this impossible. Petr V. posted a nice way of how to define a week earlier in this thread, even the first and 0-th week. The other thing is which years should be allowed to be the input of the year keyword. Currently, I set the range for these values to 1970-2038 according to the Unix timestamp. I'm not sure if anyone would want to set it less than 1970, setting it for a higher value than 2038 might probably make sense in some very special cases, although I really can't think of a one. You certainly can set it more than 2038 (time doesn't stop there). What you are limited with is Kerberos 32-bit time stamp, not HBAC policy time definition. I would say we better set to 64-bit ourselves and handle irregularities in SSSD. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Time-Based Account Policies
On 07/10/2015 12:43 PM, Alexander Bokovoy wrote: On Fri, 10 Jul 2015, Stanislav Laznicka wrote: Hi, Long time no post from me, time to make it up to you. Welcome back! I have been working on the the implementation of the design of time policies for HBAC rules on FreeIPA and SSSD sides. Attached is the current state of the FreeIPA solution. My comments and notes to the solution follow. The FreeIPA side backend base for time policies in HBAC seems working to me but still needs formal testing. Also, there is no conversion from the iCal format as previously requested and I personally would postpone this feature until the time policies functionality is rock solid. There were some uncertainties in the design as well. I ran into 2 of these but more may come. The first thing is how to deal with weeks in a month. There are two possibilities. A week in month (as specified by the weekofmonth keyword in the time policies) may be understood as a period of time between two Sundays, so when a month starts on, say, Friday the 1st, weekofmonth=1 would specify days Friday, Saturday, Sunday and anything from that Sunday on would be a weekofmonth=2 and on. However, I think a week in a month may also be considered a period of time that equals 7 days of a month. In the previous example, a weekofmonth=1 would therefore also apply to the following days up until Friday the 8th, excluding this last day. Although I implemented the first case in the SSSD, I actually started thinking the second case scenario might be the right or better one. One thing you need to realize that there is no universal 'week starts on Sunday'. There are different ways of starting a week, some countries do it on Sunday, some -- on Saturday, some -- on Monday. This means you need to make possible to pull in a locale definition if you really want this functionality and then it also becomes quite fuzzy as there are legal definitions of what a week is (as well as a month and a work day). I would definitely go with using the locales for deciding (same for weeks of year, etc.). With addition to that I would, personally, also make it clear to see the exact description of the policy currently in use, on the WebUI and CLI (if it is possible, of course). Maybe it is just me but I have no idea how to decide when is the first week of a month, even in my locale. (if it is already there then act as if I have said nothing) The other thing is which years should be allowed to be the input of the year keyword. Currently, I set the range for these values to 1970-2038 according to the Unix timestamp. I'm not sure if anyone would want to set it less than 1970, setting it for a higher value than 2038 might probably make sense in some very special cases, although I really can't think of a one. You certainly can set it more than 2038 (time doesn't stop there). What you are limited with is Kerberos 32-bit time stamp, not HBAC policy time definition. I would say we better set to 64-bit ourselves and handle irregularities in SSSD. -- Matúš Honěk -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0337] ipalib: Fix missing format for InvalidDomainLevelError
Hi, this patch fixes missing format for the InvalidDomainLevelError exception. Pushed to, under oneliner rule: master: 8a4e79c9e6ebb92e5bcc3c53e3f0073c10333227 ipa-4-2: fe69b2cbe48c9874ac0ee1d34cce1cdb244abadc Tomas From 6d099e3a24c530f894d94b118e20baa1424e7f9c Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Fri, 10 Jul 2015 14:59:21 +0200 Subject: [PATCH] ipalib: Fix missing format for InvalidDomainLevelError --- ipalib/errors.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipalib/errors.py b/ipalib/errors.py index d874e68829e1a5491dec402d5976c3adfa556e84..74a29f40472ab19352b668e791e76a7d58ce74e6 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1361,6 +1361,7 @@ class InvalidDomainLevelError(ExecutionError): errno = 4032 +format = _('%(reason)s') class BuiltinError(ExecutionError): -- 2.1.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0338] Revert Hide topology and domainlevel features
On 07/10/2015 03:25 PM, Simo Sorce wrote: On Fri, 2015-07-10 at 15:18 +0200, Tomas Babej wrote: Hi, This reverts commit 62e8002bc43ddd890c3db35a123cb7daf35e3121. Hiding of the topology and domainlevel features was necessary for the 4.2 branch only. Tomas ACK Simo, Pushed to master: 510642196184e588b3014db1d1fdd7bc4aa2f5dd -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0338] Revert Hide topology and domainlevel features
On Fri, 2015-07-10 at 15:18 +0200, Tomas Babej wrote: Hi, This reverts commit 62e8002bc43ddd890c3db35a123cb7daf35e3121. Hiding of the topology and domainlevel features was necessary for the 4.2 branch only. Tomas ACK Simo, -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Time-Based Account Policies
On 10/07/15 12:08, Stanislav Laznicka wrote: Hi, Long time no post from me, time to make it up to you. I have been working on the the implementation of the design of time policies for HBAC rules on FreeIPA and SSSD sides. Attached is the current state of the FreeIPA solution. My comments and notes to the solution follow. The FreeIPA side backend base for time policies in HBAC seems working to me but still needs formal testing. Also, there is no conversion from the iCal format as previously requested and I personally would postpone this feature until the time policies functionality is rock solid. There were some uncertainties in the design as well. I ran into 2 of these but more may come. The first thing is how to deal with weeks in a month. There are two possibilities. A week in month (as specified by the weekofmonth keyword in the time policies) may be understood as a period of time between two Sundays, so when a month starts on, say, Friday the 1st, weekofmonth=1 would specify days Friday, Saturday, Sunday and anything from that Sunday on would be a weekofmonth=2 and on. However, I think a week in a month may also be considered a period of time that equals 7 days of a month. In the previous example, a weekofmonth=1 would therefore also apply to the following days up until Friday the 8th, excluding this last day. Although I implemented the first case in the SSSD, I actually started thinking the second case scenario might be the right or better one. The other thing is which years should be allowed to be the input of the year keyword. Currently, I set the range for these values to 1970-2038 according to the Unix timestamp. I'm not sure if anyone would want to set it less than 1970, setting it for a higher value than 2038 might probably make sense in some very special cases, although I really can't think of a one. As for the WebUI, I am not really satisfied with the current state - the time zone select button requires saving the rule before any further setting on the page and the tables for setting the time rules don't allow editing the rules, which gets annoying fast. The WebUI for the time policies in HBAC was created for my Master's thesis purposes in a hurry and I will probably need to discuss it some more with Petr V. It works well for basic display and add/remove of the time rules, though. So, that is what I do now, aside from SSSD functionality. Please, let me know what your ideas are, especially about those weekofmonth and year issues. Cheers, Stanislav Laznicka Please revert this change, 'replaces' keyword is used only for legacy permission. Changes in new permissions are handled automatically by update plugin. 'replaces': [ -'(targetattr = servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost)(target =ldap:///ipauniqueid=*,cn=hbac,$SUFFIX;)(version 3.0;acl permission:Modify HBAC rule;allow (write) groupdn =ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,$SUFFIX;)', +'(targetattr = servicecategory || sourcehostcategory || cn || description || ipaenabledflag || timezone || accesstime || accesstimeexclude || usercategory || hostcategory || accessruletype || sourcehost)(target =ldap:///ipauniqueid=*,cn=hbac,$SUFFIX;)(version 3.0;acl permission:Modify HBAC rule;allow (write) groupdn =ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,$SUFFIX;)', ], Martin -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0338] Revert Hide topology and domainlevel features
Hi, This reverts commit 62e8002bc43ddd890c3db35a123cb7daf35e3121. Hiding of the topology and domainlevel features was necessary for the 4.2 branch only. Tomas From 89e55240b3e3820b42e85b63cd1849816690321a Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Fri, 10 Jul 2015 15:16:31 +0200 Subject: [PATCH] Revert Hide topology and domainlevel features This reverts commit 62e8002bc43ddd890c3db35a123cb7daf35e3121. Hiding of the topology and domainlevel features was necessary for the 4.2 branch only. --- install/ui/src/freeipa/app.js | 3 +-- install/ui/src/freeipa/navigation/menu_spec.js | 4 ++-- ipalib/constants.py| 2 +- ipalib/plugins/domainlevel.py | 2 -- ipalib/plugins/topology.py | 11 --- ipaserver/install/dsinstance.py| 3 +-- 6 files changed, 5 insertions(+), 20 deletions(-) diff --git a/install/ui/src/freeipa/app.js b/install/ui/src/freeipa/app.js index 1057120c02c000e5c21ad62c1517ccb59115f0cc..daf17b7ba021d3db8288f2de89a8ae4814172a70 100644 --- a/install/ui/src/freeipa/app.js +++ b/install/ui/src/freeipa/app.js @@ -50,8 +50,7 @@ define([ './service', './sudo', './trust', -// Hide topology for now -// './topology', +'./topology', './user', './stageuser', 'dojo/domReady!' diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js index 32bbd6aaab9e47854e74d26b7f23b89d8bfe7410..8140ddf252e87cf8c51c3f786974ba6a1f2eb390 100644 --- a/install/ui/src/freeipa/navigation/menu_spec.js +++ b/install/ui/src/freeipa/navigation/menu_spec.js @@ -205,7 +205,7 @@ var nav = {}; { entity: 'trustconfig' } ] }, -/* { +{ entity: 'topologysuffix', label: '@i18n:tabs.topology', facet: 'search', @@ -226,7 +226,7 @@ var nav = {}; hidden: true } ] -},*/ +}, { name: 'apibrowser', label: 'API browser', diff --git a/ipalib/constants.py b/ipalib/constants.py index 1509151bac7e0abca081cbba033701db410fc54c..53c3106cdd16fef0eba42a70518f7633b3fd95d1 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -238,4 +238,4 @@ IPA_ANCHOR_PREFIX = ':IPA:' SID_ANCHOR_PREFIX = ':SID:' MIN_DOMAIN_LEVEL = 0 -MAX_DOMAIN_LEVEL = 0 +MAX_DOMAIN_LEVEL = 1 diff --git a/ipalib/plugins/domainlevel.py b/ipalib/plugins/domainlevel.py index 9012a3203323f381c2b927f76371d2b1df4b32a0..64e383006722fb2f32f5300d627b18b6daf051d4 100644 --- a/ipalib/plugins/domainlevel.py +++ b/ipalib/plugins/domainlevel.py @@ -74,7 +74,6 @@ def get_master_entries(ldap, api): @register() class domainlevel_get(Command): __doc__ = _('Query current Domain Level.') -NO_CLI = True has_output = domainlevel_output @@ -91,7 +90,6 @@ class domainlevel_get(Command): @register() class domainlevel_set(Command): __doc__ = _('Change current Domain Level.') -NO_CLI = True has_output = domainlevel_output diff --git a/ipalib/plugins/topology.py b/ipalib/plugins/topology.py index 574e0d7ed42386f62a805272b6ec106bb946116c..de5ceb97583c9a40b4fe3783ec0fa40e6c325d0f 100644 --- a/ipalib/plugins/topology.py +++ b/ipalib/plugins/topology.py @@ -41,7 +41,6 @@ class topologysegment(LDAPObject): Topology segment. -NO_CLI = True parent_object = 'topologysuffix' container_dn = api.env.container_topology object_name = _('segment') @@ -196,7 +195,6 @@ class topologysegment(LDAPObject): class topologysegment_find(LDAPSearch): __doc__ = _('Search for topology segments.') -NO_CLI = True msg_summary = ngettext( '%(count)d segment matched', '%(count)d segments matched', 0 @@ -207,7 +205,6 @@ class topologysegment_find(LDAPSearch): class topologysegment_add(LDAPCreate): __doc__ = _('Add a new segment.') -NO_CLI = True msg_summary = _('Added segment %(value)s') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): @@ -221,7 +218,6 @@ class topologysegment_add(LDAPCreate): class topologysegment_del(LDAPDelete): __doc__ = _('Delete a segment.') -NO_CLI = True msg_summary = _('Deleted segment %(value)s') def pre_callback(self, ldap, dn, *keys, **options): @@ -234,7 +230,6 @@ class topologysegment_del(LDAPDelete): class topologysegment_mod(LDAPUpdate): __doc__ = _('Modify a segment.') -NO_CLI = True msg_summary = _('Modified segment %(value)s') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): @@ -249,7 +244,6 @@ class topologysegment_reinitialize(LDAPQuery): __doc__ = _('Request a full re-initialization of the node '
Re: [Freeipa-devel] [RFC] Community Portal Captcha
On Fri, 2015-07-10 at 13:05 -0400, Drew Erny wrote: Hi, All, I think some of you discussed with me the details of the community portal captcha with me on IRC. Yesterday, I wrote up a design proposal for the captcha system that I'd like some of you to take a look at and check to see that I'm understanding it correctly, and that this captcha method is secure. http://www.freeipa.org/page/V4/Community_Portal_Captcha If you are going to use a DB for storing the HMAC signatures, then you can also store there the key used to generate them IMO. You generate the key from os.urandom(16) if it is not found (in which case you can also remove all the HMACs present in the DB as none will validate anymore). Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 529] Fix DNS record installation for replicas
On Fri, 2015-07-10 at 13:03 -0400, Simo Sorce wrote: This bug affects 4.2, we should backport the fix there too. See ticket: https://fedorahosted.org/freeipa/ticket/5116 For what is worth I tested this change in my replica install code and it fixes the issue, though the code is different and therefore should be tested with a classic replica install. Also sorry for the HTML attachment, fat fingered while trying to copy/paste the ticket link from FF. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message
- Original Message - From: Tomas Babej tba...@redhat.com To: Veronika Kabatova vkaba...@redhat.com, freeipa-devel@redhat.com Sent: Friday, July 10, 2015 2:56:58 PM Subject: Re: [Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message On 07/09/2015 01:49 PM, Veronika Kabatova wrote: The attached patch solves the https://fedorahosted.org/freeipa/ticket/3959 ticket. Veronika Kabatova Hello, thanks for the patch. Actually, the doctest does not pass: $ ipa-run-tests /usr/lib/python2.7/site-packages/ipalib/errors.py --doctest-modules = test session starts = platform linux2 -- Python 2.7.10 -- py-1.4.28 -- pytest-2.6.4 plugins: multihost, sourceorder collected 85 items ../ipalib/errors.py ...F..F.. == FAILURES === _ [doctest] ipalib.errors.DNSNotARecordError __ 1137 1138 **4019** Raised when a hostname is not a DNS A/ record 1139 1140 For example: 1141 1142 raise DNSNotARecordError() Differences (unified diff with -expected +actual): @@ -1,4 +1,6 @@ Traceback (most recent call last): - ... -DNSNotARecordError: Host does not have corresponding DNS A/ record, -use --force to continue anyway + File /usr/lib64/python2.7/doctest.py, line 1315, in __run +compileflags, 1) in test.globs + File doctest ipalib.errors.DNSNotARecordError[0], line 1, in module +raise DNSNotARecordError() +DNSNotARecordError: Host does not have corresponding DNS A/ record, use --force to continue anyway /usr/lib/python2.7/site-packages/ipalib/errors.py:1142: DocTestFailure The reason for the mismatch here is that you wrapped the line - in this case, we need to violate the PEP8, and allow the length of the line exceed 80 characters. Good to know, thanks for clarifying. Attached modified version which doesn't break tests, even if PEP8 checker is not happy with it. HTH, Tomas Thanks, Veronika KabatovaFrom 2a05588cd8c063838a1bca8fa996fbc141bdaa65 Mon Sep 17 00:00:00 2001 From: Veronika Kabatova vkaba...@redhat.com Date: Fri, 10 Jul 2015 19:33:58 +0200 Subject: [PATCH] Enhance the DNSNotARecordError message Enhance the DNSNotARecordError message as proposed in ticket #3959. User is now suggested to use --force option. https://fedorahosted.org/freeipa/ticket/3959 --- ipalib/errors.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipalib/errors.py b/ipalib/errors.py index 7e34a879f1d9fad1ed0cbde263cda5cf6d84b7f9..69476b7706c704ad28b1808b7b80863b71dd775e 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1142,12 +1142,12 @@ class DNSNotARecordError(ExecutionError): raise DNSNotARecordError() Traceback (most recent call last): ... -DNSNotARecordError: Host does not have corresponding DNS A/ record +DNSNotARecordError: Host does not have corresponding DNS A/ record, use --force to continue anyway errno = 4019 -format = _('Host does not have corresponding DNS A/ record') +format = _('Host does not have corresponding DNS A/ record, use --force to continue anyway') class ManagedGroupError(ExecutionError): -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [RFC] Community Portal Captcha
Hi, All, I think some of you discussed with me the details of the community portal captcha with me on IRC. Yesterday, I wrote up a design proposal for the captcha system that I'd like some of you to take a look at and check to see that I'm understanding it correctly, and that this captcha method is secure. http://www.freeipa.org/page/V4/Community_Portal_Captcha Thanks, Drew Erny -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0006] Start dirsrv for kdcproxy upgrade
Hi, this patch ensures that DS is running before HTTPInstance attempts to connect to LDAP. https://fedorahosted.org/freeipa/ticket/5113 While I was testing the patch I ran into trouble with DS. The upgrade script couldn't connect to 389/TCP, although ns-slapd was running. After some digging I found this log line: Jul 10 18:13:24 vm-120.abc.idm.lab.eng.brq.redhat.com ns-slapd[6278]: [10/Jul/2015:18:13:24 +0200] - Information: Non-Secure Port Disabled which eventually lead me to /etc/dirsrv/slapd-IPA-EXAMPLE/dse.ldif. The port was disabled with nsslapd-port: 0. After I stopped DS, changed the port back to 389 and started DS again, ipa-server-upgrade worked again. Christian From 90c77671a3f8969adb06d7c6092369e90acfd59b Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Fri, 10 Jul 2015 18:18:29 +0200 Subject: [PATCH] Start dirsrv for kdcproxy upgrade The kdcproxy upgrade step in ipa-server-upgrade needs a running dirsrv instance. Under some circumstances the dirsrv isn't running. The patch rearranges some upgrade steps and starts DS before enable_kdcproxy(). https://fedorahosted.org/freeipa/ticket/5113 --- ipaserver/install/server/upgrade.py | 35 +++ 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 84a5b06accb10663eaa4d995f66796366040e9c8..f295655dc2aa592e0215f15017c9b65af49eef80 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1396,22 +1396,6 @@ def upgrade_configuration(): http.change_mod_nss_port_from_http() http.configure_certmonger_renewal_guard() -if not http.is_kdcproxy_configured(): -root_logger.info('[Enabling KDC Proxy]') -if http.admin_conn is None: -http.ldapi = True -http.fqdn = fqdn -http.realm = api.env.realm -http.suffix = ipautil.realm_to_suffix(api.env.realm) -http.ldap_connect() -http.create_kdcproxy_conf() -http.enable_kdcproxy() - -http.stop() -update_mod_nss_protocol(http) -fix_trust_flags() -http.start() - ds = dsinstance.DsInstance() ds.configure_dirsrv_ccache() @@ -1433,6 +1417,25 @@ def upgrade_configuration(): ds.suffix = ipautil.realm_to_suffix(api.env.realm) ds_enable_sidgen_extdom_plugins(ds) +# Now 389-ds is available, run the remaining http tasks +if not http.is_kdcproxy_configured(): +root_logger.info('[Enabling KDC Proxy]') +if http.admin_conn is None: + # 389-ds needs to be running +ds.start() +http.ldapi = True +http.fqdn = fqdn +http.realm = api.env.realm +http.suffix = ipautil.realm_to_suffix(api.env.realm) +http.ldap_connect() +http.create_kdcproxy_conf() +http.enable_kdcproxy() + +http.stop() +update_mod_nss_protocol(http) +fix_trust_flags() +http.start() + uninstall_selfsign(ds, http) simple_service_list = ( -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 529] Fix DNS record installation for replicas
This bug affects 4.2, we should backport the fix there too. See ticket: https://fedorahosted.org/freeipa/ticket/5116 Simo. -- Simo Sorce * Red Hat, Inc * New York From 84ca685e4dab2880812a915f04798d647068de0c Mon Sep 17 00:00:00 2001 From: Simo Sorce s...@redhat.com Date: Fri, 10 Jul 2015 12:58:19 -0400 Subject: [PATCH] Fix DNS records installation for replicas Ticket: https:/fedorahosted.org/freeipa/ticket/5116 Signed-off-by: Simo Sorce s...@redhat.com --- ipaserver/install/server/replicainstall.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index a78eeb331c1f3f4f2233abb9e65bdde79eee4000..a828ba9d8ce1b4c4ceecbe9356034d3bb2cfaa25 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -503,9 +503,8 @@ def install_check(installer): if options.setup_dns: dns.install_check(False, True, options, config.host_name) else: -installutils.get_server_ip_address(config.host_name, fstore, - not installer.interactive, False, - options.ip_addresses) +config.ips = installutils.get_server_ip_address(config.host_name, +fstore, not installer.interactive, False, options.ip_addresses) # check connection if not options.skip_conncheck: -- 2.4.2 Title: #5116 (Replica install fails to update DNS records) – freeipa Search: OpenID LoginFedora Account Sign UpPreferencesHelp/GuideAbout TracCGitRPC API WikiTimelineRoadmapBrowse SourceView TicketsSearch Context Navigation Previous TicketNext Ticket Ticket #5116 (new defect) Opened 7 minutes ago Replica install fails to update DNS records Reported by: simo Owned by: someone Priority: critical Milestone: 0.0 NEEDS_TRIAGE Component: IPA Version: Keywords: Cc: Blocked By: Blocking: Affects Documentation: no Patch posted for review: no Red Hat Bugzilla: Patch review by: External tracker: Design link: Test coverage: Test by: Test case: Needs UI design: Feature: Source: Expertise: Release Notes: Description The code that insstall records in the replicaintstall.py file loops on config.ips to find which records to add to DNS, unfortunately the change in ae9c3e2dce000ed185b28e2e6e85043ad8d001ed broke this because config.ips is not set. Note: See TracTickets for help on using tickets. Download in other formats: Comma-delimited Text Tab-delimited Text RSS Feed Powered by Trac 0.12.5 By Edgewall Software. Visit the FreeIPA project wiki at http://www.freeipa.org/ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code