[Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management
URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management jcholast commented: """ In addition to my inline comments: * use component name ("ipaldap", "ldap2", "install", ...) rather than "lda refactoring" as a prefix in commit subjects, * please move "ldap refactoring: change default time/size limit in ldap2" before "ldap refactoring: conn management in dsinstance" and squash it with "ldap refactoring: restore previous time/size limit in backend", * squash "ldap refactoring: add restart_dirsrv to installutils" and "ldap refactoring: use restart_dirsrv in installers", * maybe squash all of the "ldap refactoring: conn management in ipa-...", as it is a single change accross multiple scripts. """ See the full comment at https://github.com/freeipa/freeipa/pull/145#issuecomment-257790636 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#207][opened] Provide user hint about IP address in IPA install
URL: https://github.com/freeipa/freeipa/pull/207 Author: Akasurde Title: #207: Provide user hint about IP address in IPA install Action: opened PR body: """ With this fix, user will be notified about pressing enter to proceed with IPA installation procedure, if user has provided valid IP address previously. Fixes https://fedorahosted.org/freeipa/ticket/5949 Signed-off-by: Abhijeet Kasurde """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/207/head:pr207 git checkout pr207 From 27f0a980b9b077f297ff7753675c0d766cae9767 Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Wed, 2 Nov 2016 13:33:37 +0530 Subject: [PATCH] Provide user hint about IP address in IPA install With this fix, user will be notified about pressing enter to proceed with IPA installation procedure, if user has provided valid IP address previously. Fixes https://fedorahosted.org/freeipa/ticket/5949 Signed-off-by: Abhijeet Kasurde --- ipaserver/install/installutils.py | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 8111f18..6c06a22 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -268,8 +268,11 @@ def add_record_to_hosts(ip, host_name, conf_file=paths.HOSTS): def read_ip_addresses(): ips = [] print("Enter the IP address to use, or press Enter to finish.") +msg = "Please provide the IP address to be used for this host name" while True: -ip = ipautil.user_input("Please provide the IP address to be used for this host name", allow_empty = True) +if ips: +msg += " or leave blank to continue with the installation" +ip = ipautil.user_input(msg, allow_empty=True) if not ip: break try: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#208][opened] Tests: Fix integration sudo test
URL: https://github.com/freeipa/freeipa/pull/208 Author: mirielka Title: #208: Tests: Fix integration sudo test Action: opened PR body: """ Tests with sudorules using only RunAsGroups attributes with empty RunAsUsers attribute fail due to different expected value than is really returned. This is caused by improper behaviour of sudo in versions before 1.8.18 (see [1]), to which the tests were originally fitted. Changing the expected value to proper one. [1] - https://www.sudo.ws/pipermail/sudo-workers/2016-November/001025.html https://fedorahosted.org/freeipa/ticket/6378 Please note that this PR needs to go to master, ipa-4-4 AND ipa-4-3 branches (ticket milestone is to be updated). """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/208/head:pr208 git checkout pr208 From c67887803e221a3916fdfa9cb779f0363ee02670 Mon Sep 17 00:00:00 2001 From: Lenka Doudova Date: Wed, 5 Oct 2016 14:25:01 +0200 Subject: [PATCH] Tests: Fix integration sudo test Tests with sudorules using only RunAsGroups attributes with empty RunAsUsers attribute fail due to different expected value than is really returned. This is caused by improper behaviour of sudo in versions before 1.8.18 (see [1]), to which the tests were originally fitted. Changing the expected value to proper one. [1] - https://www.sudo.ws/pipermail/sudo-workers/2016-November/001025.html https://fedorahosted.org/freeipa/ticket/6378 --- ipatests/test_integration/test_sudo.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipatests/test_integration/test_sudo.py b/ipatests/test_integration/test_sudo.py index a1676a2..1fbdee3 100644 --- a/ipatests/test_integration/test_sudo.py +++ b/ipatests/test_integration/test_sudo.py @@ -530,7 +530,7 @@ def test_sudo_rule_restricted_to_running_as_single_group_setup(self): def test_sudo_rule_restricted_to_running_as_single_group(self): result1 = self.list_sudo_commands("testuser1", verbose=True) -assert "RunAsUsers: root" in result1.stdout_text +assert "RunAsUsers: testuser1" in result1.stdout_text assert "RunAsGroups: testgroup2" in result1.stdout_text def test_setting_category_to_all_with_valid_entries_runasgroup(self): @@ -551,7 +551,7 @@ def test_sudo_rule_restricted_to_running_as_single_local_group_setup(self): def test_sudo_rule_restricted_to_running_as_single_local_group(self): result1 = self.list_sudo_commands("testuser1", verbose=True) -assert "RunAsUsers: root" in result1.stdout_text +assert "RunAsUsers: testuser1" in result1.stdout_text assert "RunAsGroups: localgroup" in result1.stdout_text def test_setting_category_to_all_with_valid_entries_runasgroup_local(self): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#208][edited] Tests: Fix integration sudo test
URL: https://github.com/freeipa/freeipa/pull/208 Author: mirielka Title: #208: Tests: Fix integration sudo test Action: edited Changed field: body Original value: """ Tests with sudorules using only RunAsGroups attributes with empty RunAsUsers attribute fail due to different expected value than is really returned. This is caused by improper behaviour of sudo in versions before 1.8.18 (see [1]), to which the tests were originally fitted. Changing the expected value to proper one. [1] - https://www.sudo.ws/pipermail/sudo-workers/2016-November/001025.html https://fedorahosted.org/freeipa/ticket/6378 Please note that this PR needs to go to master, ipa-4-4 AND ipa-4-3 branches (ticket milestone is to be updated). """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#200][synchronized] Test: basic kerberos over http functionality
URL: https://github.com/freeipa/freeipa/pull/200 Author: ofayans Title: #200: Test: basic kerberos over http functionality Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/200/head:pr200 git checkout pr200 From bb1a112db5b224544581a7703d8484c6ae6b8945 Mon Sep 17 00:00:00 2001 From: Oleg Fayans Date: Tue, 1 Nov 2016 09:25:16 +0100 Subject: [PATCH 1/2] Test: basic kerberos over http functionality https://fedorahosted.org/freeipa/ticket/6446 --- ipatests/test_integration/test_http_kdc_proxy.py | 59 1 file changed, 59 insertions(+) create mode 100644 ipatests/test_integration/test_http_kdc_proxy.py diff --git a/ipatests/test_integration/test_http_kdc_proxy.py b/ipatests/test_integration/test_http_kdc_proxy.py new file mode 100644 index 000..3743dad --- /dev/null +++ b/ipatests/test_integration/test_http_kdc_proxy.py @@ -0,0 +1,59 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +import six +import ipaddress +from ipatests.test_integration import tasks +from ipatests.test_integration.base import IntegrationTest +from ipaplatform.paths import paths + + +if six.PY3: +unicode = str + + +class TestHttpKdcProxy(IntegrationTest): +topology = "line" +num_clients = 1 + +@classmethod +def install(cls, mh): +super(TestHttpKdcProxy, cls).install(mh) +# client ip version check +client_ip = ipaddress.ip_address(unicode(cls.clients[0].ip)) +if isinstance(client_ip, ipaddress.IPv4Address): +util = 'iptables' +else: +util = 'ip6tables' +# Block access from client to master's port 88 +cls.master.run_command([ +util, '-A', 'INPUT', '-s', cls.clients[0].ip, +'-p', 'tcp', '--dport', '88', '-j', 'DROP']) +cls.master.run_command([ +util, '-A', 'INPUT', '-s', cls.clients[0].ip, +'-p', 'udp', '--dport', '88', '-j', 'DROP']) +# configure client +cls.clients[0].run_command( +"sed -i 's/ kdc = .*$/ kdc = https:\/\/%s\/KdcProxy/' %s" % ( +cls.master.hostname, paths.KRB5_CONF) +) +cls.clients[0].run_command( +"sed -i 's/master_kdc = .*$/master_kdc" +" = https:\/\/%s\/KdcProxy/' %s" % ( +cls.master.hostname, paths.KRB5_CONF) +) +# Workaround for https://fedorahosted.org/freeipa/ticket/6443 +cls.clients[0].run_command(['systemctl', 'restart', 'sssd.service']) +# End of workaround + +@classmethod +def uninstall(cls, mh): +super(TestHttpKdcProxy, cls).uninstall(mh) +cls.master.run_command(['iptables', '-F']) + +def test_http_kdc_proxy_works(self): +result = tasks.kinit_admin(self.clients[0], raiseonerr=False) +assert(result.returncode == 0), ( +"Unable to kinit using KdcProxy: %s" % result.stderr_text +) From 8515d81a025fe259316cb11b75263fe1cafb76be Mon Sep 17 00:00:00 2001 From: Oleg Fayans Date: Tue, 1 Nov 2016 09:54:12 +0100 Subject: [PATCH 2/2] Test: made kinit_admin a returning function In some cases we need to check the result of kinit and print out the error message. Therefore we need it to return the result. --- ipatests/test_integration/tasks.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index df5e408..0d5e084 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -662,8 +662,8 @@ def disconnect_replica(master, replica, domain_level=None): def kinit_admin(host, raiseonerr=True): -host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr, - stdin_text=host.config.admin_password) +return host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr, +stdin_text=host.config.admin_password) def uninstall_master(host, ignore_topology_disconnect=True, -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#205][synchronized] Support DAL version 5 and version 6
URL: https://github.com/freeipa/freeipa/pull/205 Author: simo5 Title: #205: Support DAL version 5 and version 6 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/205/head:pr205 git checkout pr205 From 1f0822b21eb3daa0c769d3377fc841d7ce8aaccc Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 1 Nov 2016 15:13:14 -0400 Subject: [PATCH] Support DAL version 5 and version 6 See bz#1389866 Signed-off-by: Simo Sorce --- daemons/ipa-kdb/ipa_kdb.c | 102 -- 1 file changed, 63 insertions(+), 39 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index fbcb03b..e96353f 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -625,45 +625,69 @@ static void ipadb_free(krb5_context context, void *ptr) /* KDB Virtual Table */ +#if KRB5_KDB_DAL_MAJOR_VERSION == 5 kdb_vftabl kdb_function_table = { -KRB5_KDB_DAL_MAJOR_VERSION, /* major version number */ -0, /* minor version number */ -ipadb_init_library, /* init_library */ -ipadb_fini_library, /* fini_library */ -ipadb_init_module, /* init_module */ -ipadb_fini_module, /* fini_module */ -ipadb_create, /* create */ -NULL, /* destroy */ -ipadb_get_age, /* get_age */ -NULL, /* lock */ -NULL, /* unlock */ -ipadb_get_principal,/* get_principal */ -ipadb_free_principal, /* free_principal */ -ipadb_put_principal,/* put_principal */ -ipadb_delete_principal, /* delete_principal */ -ipadb_iterate, /* iterate */ -ipadb_create_pwd_policy,/* create_policy */ -ipadb_get_pwd_policy, /* get_policy */ -ipadb_put_pwd_policy, /* put_policy */ -ipadb_iterate_pwd_policy, /* iter_policy */ -ipadb_delete_pwd_policy,/* delete_policy */ -ipadb_free_pwd_policy, /* free_policy */ -ipadb_alloc,/* alloc */ -ipadb_free, /* free */ -ipadb_fetch_master_key, /* fetch_master_key */ -NULL, /* fetch_master_key_list */ -ipadb_store_master_key_list,/* store_master_key_list */ -NULL, /* dbe_search_enctype */ -ipadb_change_pwd, /* change_pwd */ -NULL, /* promote_db */ -NULL, /* decrypt_key_data */ -NULL, /* encrypt_key_data */ -ipadb_sign_authdata,/* sign_authdata */ -ipadb_check_transited_realms, /* check_transited_realms */ -ipadb_check_policy_as, /* check_policy_as */ -NULL, /* check_policy_tgs */ -ipadb_audit_as_req, /* audit_as_req */ -NULL, /* refresh_config */ -ipadb_check_allowed_to_delegate /* check_allowed_to_delegate */ +.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, +.min_ver = 0, +.init_library = ipadb_init_library, +.fini_library = ipadb_fini_library, +.init_module = ipadb_init_module, +.fini_module = ipadb_fini_module, +.create = ipadb_create, +.get_age = ipadb_get_age, +.get_principal = ipadb_get_principal, +.free_principal = ipadb_free_principal, +.put_principal = ipadb_put_principal, +.delete_principal = ipadb_delete_principal, +.iterate = ipadb_iterate, +.create_policy = ipadb_create_pwd_policy, +.get_policy = ipadb_get_pwd_policy, +.put_policy = ipadb_put_pwd_policy, +.iter_policy = ipadb_iterate_pwd_policy, +.delete_policy = ipadb_delete_pwd_policy, +.free_policy = ipadb_free_pwd_policy, +.alloc = ipadb_alloc, +.free = ipadb_free, +.fetch_master_key = ipadb_fetch_master_key, +.store_master_key_list = ipadb_store_master_key_list, +.change_pwd = ipadb_change_pwd, +.sign_authdata = ipadb_sign_authdata, +.check_transited_realms = ipadb_check_transited_realms, +.check_policy_as = ipadb_check_policy_as, +.audit_as_req = ipadb_audit_as_req, +.check_allowed_to_delegate = ipadb_check_allowed_to_delegate }; +#elif KRB5_KDB_DAL_MAJOR_VERSION == 6 +kdb_vftabl kdb_function_table = { +.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, +.min_ver = 0, +.init_library = ipadb_init_library, +.fini_library = ipadb_fini_library, +.init_module = ipadb_init_module, +.fini_module = ipadb_fini_module, +.create = ipadb_create, +.get_age = ipadb_get_age, +.get_principal = ipadb_get_principal, +.put_principal
[Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6
URL: https://github.com/freeipa/freeipa/pull/205 Title: #205: Support DAL version 5 and version 6 simo5 commented: """ Updated """ See the full comment at https://github.com/freeipa/freeipa/pull/205#issuecomment-257820109 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#181][synchronized] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Author: gkaihorodova Title: #181: Tests : User Tracker creation of user with minimal values Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/181/head:pr181 git checkout pr181 From 66376aa06260cde40e8674941be964465d4878d5 Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Mon, 24 Oct 2016 11:27:01 +0200 Subject: [PATCH] User Tracker: creation of user with minimal values Fix provide possibility to create user-add test with minimal values, where uid is not specified, to provide better coverage https://fedorahosted.org/freeipa/ticket/6126 --- ipatests/test_xmlrpc/tracker/user_plugin.py | 23 +++ 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py index 4485fd9..a55fb29 100644 --- a/ipatests/test_xmlrpc/tracker/user_plugin.py +++ b/ipatests/test_xmlrpc/tracker/user_plugin.py @@ -62,7 +62,7 @@ class UserTracker(KerberosAliasMixin, Tracker): primary_keys = {u'uid', u'dn'} -def __init__(self, name, givenname, sn, **kwargs): +def __init__(self, name=None, givenname=None, sn=None, **kwargs): super(UserTracker, self).__init__(default_version=None) self.uid = name self.givenname = givenname @@ -71,13 +71,20 @@ def __init__(self, name, givenname, sn, **kwargs): self.kwargs = kwargs -def make_create_command(self): -""" Make function that crates a user using user-add """ -return self.make_command( -'user_add', self.uid, -givenname=self.givenname, -sn=self.sn, **self.kwargs -) +def make_create_command(self, force=None): +""" Make function that creates a user using user-add """ + +if self.uid is not None: +return self.make_command( +'user_add', self.uid, +givenname=self.givenname, +sn=self.sn, **self.kwargs +) +else: +return self.make_command( +'user_add', givenname=self.givenname, +sn=self.sn, **self.kwargs +) def make_delete_command(self, no_preserve=True, preserve=False): """ Make function that deletes a user using user-del """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#203][comment] Add sdist_list plugin to all setup.py
URL: https://github.com/freeipa/freeipa/pull/203 Title: #203: Add sdist_list plugin to all setup.py pspacek commented: """ > 1. redirect stderr and use python setup.py --quiet sdist_list. The order is > import, python setup.py sdist_list --quiet only silences sdist_list command, > not subcommands. Could you fix sdist_list so it properly propagates --quiet option to the subcommands? """ See the full comment at https://github.com/freeipa/freeipa/pull/203#issuecomment-257835229 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#209][opened] Enumerate available options in IPA installer
URL: https://github.com/freeipa/freeipa/pull/209 Author: Akasurde Title: #209: Enumerate available options in IPA installer Action: opened PR body: """ Fix adds enumerated list of available options in IPA server installer and IPA CA installer help options Fixes https://fedorahosted.org/freeipa/ticket/5435 Signed-off-by: Abhijeet Kasurde """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/209/head:pr209 git checkout pr209 From 281f5f90d01c12bcc862ea4124006cfff90fff32 Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Wed, 2 Nov 2016 16:36:17 +0530 Subject: [PATCH] Enumerate available options in IPA installer Fix adds enumerated list of available options in IPA server installer and IPA CA installer help options Fixes https://fedorahosted.org/freeipa/ticket/5435 Signed-off-by: Abhijeet Kasurde --- install/tools/ipa-ca-install | 7 +-- ipaserver/install/server/common.py | 8 ++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 985e741..e34d033 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -61,15 +61,18 @@ def parse_options(): default=False, help="unattended installation never prompts the user") parser.add_option("--external-ca", dest="external_ca", action="store_true", default=False, help="Generate a CSR to be signed by an external CA") +ext_cas = ("generic", "ms-cs") parser.add_option("--external-ca-type", dest="external_ca_type", - type="choice", choices=("generic", "ms-cs"), + type="choice", choices=ext_cas, + metavar="{%s}" % "|".join(ext_cas), help="Type of the external CA") parser.add_option("--external-cert-file", dest="external_cert_files", action="append", metavar="FILE", help="File containing the IPA CA certificate and the external CA certificate chain") +ca_algos = ('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA') parser.add_option("--ca-signing-algorithm", dest="ca_signing_algorithm", type="choice", - choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'), + choices=ca_algos, metavar="{%s}" % "|".join(ca_algos), help="Signing algorithm of the IPA CA certificate") parser.add_option("-P", "--principal", dest="principal", sensitive=True, default=None, help="User allowed to manage replicas") diff --git a/ipaserver/install/server/common.py b/ipaserver/install/server/common.py index e6093d1..57b36a0 100644 --- a/ipaserver/install/server/common.py +++ b/ipaserver/install/server/common.py @@ -148,9 +148,11 @@ def subject(self, value): except ValueError as e: raise ValueError("invalid subject base format: %s" % e) +ca_algos = {'SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'} ca_signing_algorithm = Knob( -{'SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'}, None, +ca_algos, None, description="Signing algorithm of the IPA CA certificate", +cli_metavar="{%s}" % "|".join(ca_algos) ) skip_schema_check = Knob( @@ -169,9 +171,11 @@ class BaseServerDNS(common.Installable, core.Group, core.Composite): cli_name='forwarder', ) +forward_policies = {'only', 'first'} forward_policy = Knob( -{'only', 'first'}, None, +forward_policies, None, description=("DNS forwarding policy for global forwarders"), +cli_metavar="{%s}" % "|".join(forward_policies), ) auto_forwarders = Knob( -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#204][comment] ipautil.run: Remove hardcoded environ PATH value
URL: https://github.com/freeipa/freeipa/pull/204 Title: #204: ipautil.run: Remove hardcoded environ PATH value pspacek commented: """ The approach with wiping env adds another layer of problems, e.g. inability to use `KRB5_TRACE` environment variable for debugging etc. IMHO we should use absolute paths whenever we call an external program and let the env be. If an attacker is controling env the game is already over. He could mess with `LD_PRELOAD` or any other other current or future sensitive variables. """ See the full comment at https://github.com/freeipa/freeipa/pull/204#issuecomment-257838182 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#203][comment] Add sdist_list plugin to all setup.py
URL: https://github.com/freeipa/freeipa/pull/203 Title: #203: Add sdist_list plugin to all setup.py tiran commented: """ There is nothing to fix here. Just use the ```--source-list``` argument. """ See the full comment at https://github.com/freeipa/freeipa/pull/203#issuecomment-257838678 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#203][comment] Add sdist_list plugin to all setup.py
URL: https://github.com/freeipa/freeipa/pull/203 Title: #203: Add sdist_list plugin to all setup.py pspacek commented: """ > There is nothing to fix here. Just use the --source-list argument. I would rather avoid temporary file and related logic. For this reason I would like to see `--quiet` option propagated to subcommands. Can it be done? """ See the full comment at https://github.com/freeipa/freeipa/pull/203#issuecomment-257840453 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#203][comment] Add sdist_list plugin to all setup.py
URL: https://github.com/freeipa/freeipa/pull/203 Title: #203: Add sdist_list plugin to all setup.py tiran commented: """ It can't be done in a clean way. distutils and setuptools starts logging to stdout before the command has a chance to change the log level. I don't want to change the log level globally because it contains useful information. """ See the full comment at https://github.com/freeipa/freeipa/pull/203#issuecomment-257841684 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#204][comment] ipautil.run: Remove hardcoded environ PATH value
URL: https://github.com/freeipa/freeipa/pull/204 Title: #204: ipautil.run: Remove hardcoded environ PATH value mbasti-rh commented: """ https://fedorahosted.org/freeipa/ticket/6449 """ See the full comment at https://github.com/freeipa/freeipa/pull/204#issuecomment-257847185 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#204][comment] ipautil.run: Remove hardcoded environ PATH value
URL: https://github.com/freeipa/freeipa/pull/204 Title: #204: ipautil.run: Remove hardcoded environ PATH value rcritten commented: """ +1 on using absolute paths. I don't recall any cases where KRB5_TRACE was needed so is this a theoretical use case or an actual one? Yes, LD_PRELOAD or PYTHONPATH can be tweaked but this just proves my point: the environment is untrustworthy. """ See the full comment at https://github.com/freeipa/freeipa/pull/204#issuecomment-257867492 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#210][opened] Tests: Stage User Tracker implementation
URL: https://github.com/freeipa/freeipa/pull/210 Author: gkaihorodova Title: #210: Tests: Stage User Tracker implementation Action: opened PR body: """ Fix provide possibility of creation stage user with minimal values, with uid not specified. Implementation is the same as for User Tracker. https://fedorahosted.org/freeipa/ticket/6448 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/210/head:pr210 git checkout pr210 From 298e1a136c6a430e8deaa558a946ba51874ffd95 Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Mon, 10 Oct 2016 14:00:51 +0200 Subject: [PATCH 1/2] Unaccessible variable self.attrs in Tracker In tracker, 'self.attrs' variable is created and filled in track_create method. Some objects are not created but still require access to this variable. Created 'self.attrs' variable in init https://fedorahosted.org/freeipa/ticket/6125 --- ipatests/test_xmlrpc/tracker/base.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py index a2b7406..aa88e6b 100644 --- a/ipatests/test_xmlrpc/tracker/base.py +++ b/ipatests/test_xmlrpc/tracker/base.py @@ -76,6 +76,7 @@ def __init__(self, default_version=None): self.api = api self.default_version = default_version or API_VERSION self._dn = None +self.attrs = {} self.exists = False From bef74b75f895a6317a75a9b254262ed53835a529 Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Wed, 2 Nov 2016 15:02:30 +0100 Subject: [PATCH 2/2] Tests: Stage User Tracker implementation Fix provide possibility of creation stage user with minimal values, with uid not specified. https://fedorahosted.org/freeipa/ticket/6448 --- ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 18 ++ 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py index 82d7e06..8e49043 100644 --- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py +++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py @@ -61,7 +61,7 @@ class StageUserTracker(Tracker): find_keys = retrieve_keys - {u'has_keytab', u'has_password'} find_all_keys = retrieve_all_keys - {u'has_keytab', u'has_password'} -def __init__(self, name, givenname, sn, **kwargs): +def __init__(self, name=None, givenname=None, sn=None, **kwargs): super(StageUserTracker, self).__init__(default_version=None) self.uid = name self.givenname = givenname @@ -73,11 +73,21 @@ def __init__(self, name, givenname, sn, **kwargs): def make_create_command(self, options=None): """ Make function that creates a staged user using stageuser-add """ + if options is not None: self.kwargs = options -return self.make_command('stageuser_add', self.uid, - givenname=self.givenname, - sn=self.sn, **self.kwargs) +if self.uid is not None: +return self.make_command( +'stageuser_add', self.uid, +givenname=self.givenname, +sn=self.sn, **self.kwargs +) +else: +return self.make_command( +'stageuser_add', +givenname=self.givenname, +sn=self.sn, **self.kwargs +) def make_delete_command(self): """ Make function that deletes a staged user using stageuser-del """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#210][synchronized] Tests: Stage User Tracker implementation
URL: https://github.com/freeipa/freeipa/pull/210 Author: gkaihorodova Title: #210: Tests: Stage User Tracker implementation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/210/head:pr210 git checkout pr210 From 51c51d3be33eed2f7200536b401a1beaccf7c9e9 Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Wed, 2 Nov 2016 15:02:30 +0100 Subject: [PATCH] Tests: Stage User Tracker implementation Fix provide possibility of creation stage user with minimal values, with uid not specified. https://fedorahosted.org/freeipa/ticket/6448 --- ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 18 ++ 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py index 82d7e06..8e49043 100644 --- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py +++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py @@ -61,7 +61,7 @@ class StageUserTracker(Tracker): find_keys = retrieve_keys - {u'has_keytab', u'has_password'} find_all_keys = retrieve_all_keys - {u'has_keytab', u'has_password'} -def __init__(self, name, givenname, sn, **kwargs): +def __init__(self, name=None, givenname=None, sn=None, **kwargs): super(StageUserTracker, self).__init__(default_version=None) self.uid = name self.givenname = givenname @@ -73,11 +73,21 @@ def __init__(self, name, givenname, sn, **kwargs): def make_create_command(self, options=None): """ Make function that creates a staged user using stageuser-add """ + if options is not None: self.kwargs = options -return self.make_command('stageuser_add', self.uid, - givenname=self.givenname, - sn=self.sn, **self.kwargs) +if self.uid is not None: +return self.make_command( +'stageuser_add', self.uid, +givenname=self.givenname, +sn=self.sn, **self.kwargs +) +else: +return self.make_command( +'stageuser_add', +givenname=self.givenname, +sn=self.sn, **self.kwargs +) def make_delete_command(self): """ Make function that deletes a staged user using stageuser-del """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#204][+rejected] ipautil.run: Remove hardcoded environ PATH value
URL: https://github.com/freeipa/freeipa/pull/204 Title: #204: ipautil.run: Remove hardcoded environ PATH value Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#204][comment] ipautil.run: Remove hardcoded environ PATH value
URL: https://github.com/freeipa/freeipa/pull/204 Title: #204: ipautil.run: Remove hardcoded environ PATH value mbasti-rh commented: """ Closing this PR, how to handle environment variables must be discussed and designed first. """ See the full comment at https://github.com/freeipa/freeipa/pull/204#issuecomment-257905927 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#204][closed] ipautil.run: Remove hardcoded environ PATH value
URL: https://github.com/freeipa/freeipa/pull/204 Author: mbasti-rh Title: #204: ipautil.run: Remove hardcoded environ PATH value Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/204/head:pr204 git checkout pr204 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#202][synchronized] ipa-getkeytab enhancements
URL: https://github.com/freeipa/freeipa/pull/202 Author: martbab Title: #202: ipa-getkeytab enhancements Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/202/head:pr202 git checkout pr202 From 84ec6a30ab1c0d7e0f91092f6019f89eb3706aba Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Thu, 27 Oct 2016 13:35:10 +0200 Subject: [PATCH 1/4] ipa-getkeytab: expose CA cert path as option get rid of hardcoded CA cert path and allow the caller to use supplied custom paths instead https://fedorahosted.org/freeipa/ticket/6409 --- client/ipa-getkeytab.c | 25 +++-- client/man/ipa-getkeytab.1 | 6 +- 2 files changed, 24 insertions(+), 7 deletions(-) diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c index 0f549a5..6da3c59 100644 --- a/client/ipa-getkeytab.c +++ b/client/ipa-getkeytab.c @@ -44,6 +44,8 @@ #include "ipa_asn1.h" #include "ipa-client-common.h" +#define DEFAULT_CA_CERT_FILE "/etc/ipa/ca.crt" + static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *sit) { sasl_interact_t *in = NULL; @@ -152,10 +154,9 @@ static int ipa_ldap_init(LDAP ** ld, const char * scheme, const char * servernam return rc; } -const char *ca_cert_file = "/etc/ipa/ca.crt"; - static int ipa_ldap_bind(const char *server_name, krb5_principal bind_princ, - const char *bind_dn, const char *bind_pw, LDAP **_ld) + const char *bind_dn, const char *bind_pw, + const char *ca_cert_file, LDAP **_ld) { char *msg = NULL; struct berval bv; @@ -343,6 +344,7 @@ static int ldap_set_keytab(krb5_context krbctx, krb5_principal princ, const char *binddn, const char *bindpw, + const char *ca_cert_file, struct keys_container *keys) { LDAP *ld = NULL; @@ -369,7 +371,7 @@ static int ldap_set_keytab(krb5_context krbctx, goto error_out; } -ret = ipa_ldap_bind(servername, princ, binddn, bindpw, &ld); +ret = ipa_ldap_bind(servername, princ, binddn, bindpw, ca_cert_file, &ld); if (ret != LDAP_SUCCESS) { fprintf(stderr, _("Failed to bind to server!\n")); goto error_out; @@ -500,6 +502,7 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password, const char *enctypes, const char *bind_server, const char *svc_princ, krb5_principal bind_princ, const char *bind_dn, const char *bind_pw, + const char *ca_cert_file, struct keys_container *keys, int *kvno, char **err_msg) { @@ -529,7 +532,8 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password, goto done; } -ret = ipa_ldap_bind(bind_server, bind_princ, bind_dn, bind_pw, &ld); +ret = ipa_ldap_bind(bind_server, bind_princ, bind_dn, bind_pw, +ca_cert_file, &ld); if (ret != LDAP_SUCCESS) { *err_msg = _("Failed to bind to server!\n"); goto done; @@ -684,6 +688,7 @@ int main(int argc, const char *argv[]) static const char *enctypes_string = NULL; static const char *binddn = NULL; static const char *bindpw = NULL; + static const char *ca_cert_file = NULL; int quiet = 0; int askpass = 0; int permitted_enctypes = 0; @@ -712,6 +717,8 @@ int main(int argc, const char *argv[]) _("LDAP DN"), _("DN to bind as if not using kerberos") }, { "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0, _("LDAP password"), _("password to use if not using kerberos") }, + { "cacert", 'c', POPT_ARG_STRING, &ca_cert_file, 0, + _("Path to the IPA CA certificate"), _("IPA CA certificate")}, { "retrieve", 'r', POPT_ARG_NONE, &retrieve, 0, _("Retrieve current keys without changing them"), NULL }, POPT_AUTOHELP @@ -798,6 +805,10 @@ int main(int argc, const char *argv[]) } } +if (!ca_cert_file) { +ca_cert_file = DEFAULT_CA_CERT_FILE; +} + if (askpass && retrieve) { fprintf(stderr, _("Incompatible options provided (-r and -P)\n")); exit(2); @@ -853,6 +864,7 @@ int main(int argc, const char *argv[]) kvno = -1; ret = ldap_get_keytab(krbctx, (retrieve == 0), password, enctypes_string, server, principal, uprinc, binddn, bindpw, + ca_cert_file, &keys, &kvno, &err_msg); if (ret) { if (!quiet && err_msg != NULL) { @@ -877,7 +889,8 @@ int main(int argc, const char *argv[]) exit(8); } -kvno = ldap_set_keytab(krbctx, server, principal, uprinc, binddn, bindpw, &keys); +kvno = ldap_set_keytab(krbctx, server, principal, uprinc, binddn, + bindpw, ca_cert_file, &keys); } i
[Freeipa-devel] [freeipa PR#202][comment] ipa-getkeytab enhancements
URL: https://github.com/freeipa/freeipa/pull/202 Title: #202: ipa-getkeytab enhancements martbab commented: """ Thank you for review @simo5 . I have fixed the issues and reworked the LDAP initialization and binding logic a bit to clean it up. It produced green tests for me. I have also updated the command man page as I missed that during initial work. """ See the full comment at https://github.com/freeipa/freeipa/pull/202#issuecomment-257910325 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#211][opened] IPA Allows Password Reuse with History value defined when admin reset…
URL: https://github.com/freeipa/freeipa/pull/211 Author: tbordaz Title: #211: IPA Allows Password Reuse with History value defined when admin reset… Action: opened PR body: """ …s the password. When admin reset a user password, history of user passwords is preserved according to its policy. https://fedorahosted.org/freeipa/ticket/6402 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/211/head:pr211 git checkout pr211 From 95aea810c8b19104a5b71dbd2cb55bf04031b652 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Wed, 19 Oct 2016 15:04:13 +0200 Subject: [PATCH] IPA Allows Password Reuse with History value defined when admin resets the password. When admin reset a user password, history of user passwords is preserved according to its policy. https://fedorahosted.org/freeipa/ticket/6402 --- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 22 +- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index cab7b7c..8ee0417 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -548,15 +548,6 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) pol.min_pwd_length = IPAPWD_DEFAULT_MINLEN; switch(data->changetype) { -case IPA_CHANGETYPE_ADMIN: -/* The expiration date needs to be older than the current time - * otherwise the KDC may not immediately register the password - * as expired. The last password change needs to match the - * password expiration otherwise minlife issues will arise. - */ -data->timeNow -= 1; -data->expireTime = data->timeNow; -break; case IPA_CHANGETYPE_NORMAL: /* Find the entry with the password policy */ ret = ipapwd_getPolicy(data->dn, data->target, &pol); @@ -564,6 +555,18 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) LOG_TRACE("No password policy, use defaults"); } break; + case IPA_CHANGETYPE_ADMIN: +/* The expiration date needs to be older than the current time + * otherwise the KDC may not immediately register the password + * as expired. The last password change needs to match the + * password expiration otherwise minlife issues will arise. + */ +data->timeNow -= 1; +data->expireTime = data->timeNow; + + /* let set the entry password property according to its + * entry password policy + */ case IPA_CHANGETYPE_DSMGR: /* PassSync agents and Directory Manager can administratively * change the password without expiring it. @@ -577,6 +580,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) LOG_TRACE("No password policy, use defaults"); } else { pol.max_pwd_life = tmppol.max_pwd_life; + pol.history_length = tmppol.history_length; } break; default: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#211][comment] IPA Allows Password Reuse with History value defined when admin reset…
URL: https://github.com/freeipa/freeipa/pull/211 Title: #211: IPA Allows Password Reuse with History value defined when admin reset… martbab commented: """ Please address the comment in code. """ See the full comment at https://github.com/freeipa/freeipa/pull/211#issuecomment-257952076 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Is checks/check-ra.py still useful?
Hi, when working on build system refactoring, I've noticed file checks/check-ra.py. README follows: > This directory is for integration tests that require a live backend (LDAP, > Certificate Server, etc.). It's named "checks" so nose wont discover tests > here. Is it still useful? As far as I can tell it was last updated in 2009 and it contains hardcoded host name of a dead machine. We should either revive it or remove it. I do not want to distribute non-functional code in the new shiny tarball. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Is checks/check-ra.py still useful?
Petr Spacek wrote: > Hi, > > when working on build system refactoring, I've noticed file > checks/check-ra.py. > > README follows: >> This directory is for integration tests that require a live backend (LDAP, >> Certificate Server, etc.). It's named "checks" so nose wont discover tests >> here. > > Is it still useful? As far as I can tell it was last updated in 2009 and it > contains hardcoded host name of a dead machine. > > We should either revive it or remove it. I do not want to distribute > non-functional code in the new shiny tarball. > I think it can go. It would be worth taking the opportunity to double-check that the API this was written to cover is being handled in test_cert_plugin.py I suspect it probably is. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management
URL: https://github.com/freeipa/freeipa/pull/145 Title: #145: Refactoring: LDAP Connection Management tomaskrizek commented: """ I've made some modifications based on the feedback. Since I've changed a lot of code, I've once again tested some use cases manually and fixed all the bugs I was able to find. Jenkins might stumble upon some problems, but hopefully we can merge this ASAP. I'm on PTO on Friday so if we want to merge this week, I can make some last modifications tomorrow. """ See the full comment at https://github.com/freeipa/freeipa/pull/145#issuecomment-257989321 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] CSR autogeneration next steps
Hi everybody, Soon I'm going to have to reduce the amount of time I spend on new development work for the CSR autogeneration project, and I want to leave the project in as organized a state as possible. So, I'm taking inventory of the work I've done in order to make sure that what's ready for review can get reviewed and the ideas that have been discussed get prototyped or at least recorded so they won't be forgotten. Code that's ready for review (I will continue to put in as much time as needed to help get these ready for submission): - Current PR: https://github.com/freeipa/freeipa/pull/10 - Allow some fields to be specified by the user at creation time: https://github.com/LiptonB/freeipa/commits/local-user-data - Automation for the full process from getting CSR data to requesting cert: https://github.com/LiptonB/freeipa/commits/local-cert-build Other prototypes and design ideas that aren't ready for submission yet: - Utility written in C to build a CertificationRequestInfo from a SubjectPublicKeyInfo and an openssl-style config file. The purpose of this is to take a config that my code already knows how to generate, and put it in a form that certmonger can use. This is nearly done and available at: https://github.com/LiptonB/freeipa-prototypes/blob/master/build_requestinfo.c - Ideally it should be possible to use this tool to reimplement the full cert-request automation (local-cert-build branch) without a dependency on the certutil/openssl tools. However, I don't think any of the python crypto libraries have bindings for the functions that deal with CertificationRequestInfo objects, so I don't think I can do this in the short term. - Certmonger "helper" program that takes in the CertificationRequestInfo that certmonger generates, calls out to IPA for profile-specific data, and returns an updated CertificationRequestInfo built from the data. Certmonger doesn't currently support this type of helper, but (if I understood correctly) this is the architecture Nalin believed would be simplest to fit in. This is not done yet, but I intend to complete it soon - it shouldn't require much code beyond what's in build_requestinfo.c. - Tool to convert an XER-encoded cert extension to DER, given the ASN.1 description of the extension. This would unblock Jan Cholasta's idea of using XSLT for templates rather than text-based formatting. I should be able to implement the conversion tool, but it may be a while before I have time to demo the full XSLT idea. So: currently on my to do list are the certmonger helper and the XER->DER conversion tool. Do you have any comments about these plans, and is there anything else I can do to wrap up the project neatly? Thanks, Ben -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation
On 10/20/2016 03:52 PM, Ben Lipton wrote: On 10/17/2016 02:16 AM, Jan Cholasta wrote: On 13.10.2016 17:23, Ben Lipton wrote: Thank you, this was a really helpful clarification of your point. Comments below. Once again, I'm sorry I missed the email for so long. Ben On 09/05/2016 06:52 AM, Jan Cholasta wrote: On 27.8.2016 22:40, Ben Lipton wrote: On 08/25/2016 04:11 PM, Rob Crittenden wrote: Ben Lipton wrote: On 08/23/2016 03:54 AM, Jan Cholasta wrote: On 8.8.2016 22:23, Ben Lipton wrote: On 07/25/2016 07:45 AM, Jan Cholasta wrote: On 25.7.2016 13:11, Alexander Bokovoy wrote: On Mon, 25 Jul 2016, Jan Cholasta wrote: On 20.7.2016 16:05, Ben Lipton wrote: Hi, Thanks very much for the feedback! Some responses below; I hope you'll let me know what you think of my reasoning. On 07/20/2016 04:20 AM, Jan Cholasta wrote: Hi, On 17.6.2016 00:06, Ben Lipton wrote: On 06/14/2016 08:27 AM, Ben Lipton wrote: Hello all, I have written up a design proposal for making certificate requests easier to generate when using alternate certificate profiles: http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation. The use case for this is described in https://fedorahosted.org/freeipa/ticket/4899. I will be working on implementing this design over the next couple of months. If you have the time and interest, please take a look and share any comments or concerns that you have. Thanks! Ben Just a quick update to say that I've created a new document that covers the proposed schema additions in a more descriptive way (with diagrams!) I'm very new to developing with LDAP, so some more experienced eyes on the proposal would be very helpful, even if you don't have time to absorb the full design. Please take a look at http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Schema if you have a chance. I finally had a chance to take a look at this, here are some comments: 1) I don't like how transformation rules are tied to a particular helper and have to be duplicated for each of them. They should be generic and work with any helper, as helpers are just an implementation detail and their resulting data is the same. In fact, I think I would prefer if the CSR was generated using python-cryptography's CertificateSigningRequestBuilder [1] rather than openssl or certutil or any other command line tool. There are lots of tools that users might want to use to manage their private keys, so I don't know if we can assume that whatever library we prefer will actually be able to access the private key to sign a CSR, which is why I thought it would be useful to support more than one. python-cryptography has the notion of backends, which allow it to support multiple crypto implementations. Upstream it currently supports only OpenSSL [2], but some work has been done on PKCS#11 backend [3], which provides support for HSMs and soft-tokens (like NSS databases). Alternatively, for NSS databases (and other "simple" cases), you can generate the private key with python-cryptography using the default backend, export it to a file and import the file to the target database, so you don't actually need the PKCS#11 backend for them. So, the only thing that's currently lacking is HSM support, but given that we don't support HSMs in IPA nor in certmonger, I don't think it's an issue for now. The purpose of the mapping rule is to tie together the transformation rules that produce the same data into an object that's implementation-agnostic, so that profiles referencing those rules are automatically compatible with all the helper options. They are implementation-agnostic, as long as you consider `openssl` and `certutil` the only implementations :-) But I don't think this solution scales well to other possible implementations. Anyway, my main grudge is that the transformation rules shouldn't really be stored on and processed by the server. The server should know the *what* (mapping rules), but not the *how* (transformation rules). The *how* is an implementation detail and does not change in time, so there's no benefit in handling it on the server. It should be handled exclusively on the client, which I believe would also make the whole thing more robust (it would not be possible for a bug on the server to break all the clients). This is a good point. However, for the scope of Ben's project can we limit it by openssl and certutil support? Otherwise Ben wouldn't be able to complete the project in time. I'm fine with that, but I don't think it's up to me :-) This is turning out to be a common (and, I think, reasonable) reaction to the proposal. It is rather complex, and I worry that it will be difficult to configure. On the other hand, there is some hidden complexity to enabling a simpler config format, as well. One of the goals of the project as it was presented to me was to allow the creation of profiles that add certificate extensions *that FreeIPA