[Freeipa-devel] [freeipa PR#216][opened] libexec scripts: ldap conn management
URL: https://github.com/freeipa/freeipa/pull/216 Author: tomaskrizek Title: #216: libexec scripts: ldap conn management Action: opened PR body: """ Certificate renewal scripts require connection to LDAP. Properly handle connects and disconnects from LDAP. https://fedorahosted.org/freeipa/ticket/6461 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/216/head:pr216 git checkout pr216 From ab992c73a62fa9d9d213b7745fe5540d2a611bda Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 9 Nov 2016 09:52:28 +0100 Subject: [PATCH] libexec scripts: ldap conn management Certificate renewal scripts require connection to LDAP. Properly handle connects and disconnects from LDAP. https://fedorahosted.org/freeipa/ticket/6461 --- install/certmonger/dogtag-ipa-ca-renew-agent-submit | 3 +++ install/restart_scripts/renew_ca_cert | 3 +++ install/restart_scripts/renew_ra_cert | 2 ++ 3 files changed, 8 insertions(+) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index f2b15cf..26a7f15 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -476,6 +476,7 @@ def main(): api.bootstrap(in_server=True, context='renew') api.finalize() +api.Backend.ldap2.connect() operation = os.environ.get('CERTMONGER_OPERATION') if operation not in ('SUBMIT', 'POLL'): @@ -507,6 +508,8 @@ def main(): certs.renewal_lock.release() shutil.rmtree(tmpdir) +api.Backend.ldap2.disconnect() + try: sys.exit(main()) except Exception as e: diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 7b3c8bd..d0effb1 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -40,6 +40,7 @@ def _main(): api.bootstrap(in_server=True, context='restart') api.finalize() +api.Backend.ldap2.connect() dogtag_service = services.knownservices['pki_tomcatd'] @@ -200,6 +201,8 @@ def _main(): syslog.syslog( syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name) +api.Backend.ldap2.disconnect() + def main(): try: diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index 62c5aa6..4185b52 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -39,6 +39,7 @@ def _main(): api.bootstrap(in_server=True, context='restart') api.finalize() +api.Backend.ldap2.connect() tmpdir = tempfile.mkdtemp(prefix="tmp-") try: @@ -75,6 +76,7 @@ def _main(): else: syslog.syslog(syslog.LOG_NOTICE, "Restarted httpd") +api.Backend.ldap2.disconnect() def main(): try: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3
URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 mbasti-rh commented: """ commit `Build: add rpms target and makerpms.sh script` misses makerpms.sh and ticket, and it looks like you forgot to squash this commit """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259364783 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#213][+ack] Build system refactoring phase 3
URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3
URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 tiran commented: """ The patch has some minor creases but works. Let's merge it to master and iron out the remaining small issues with PRs. """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259368347 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3
URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 tiran commented: """ memo for me: - [ ] /freeipa*.tar.gz is not removed - [ ] ```MOSTLYCLEANFILES``` only cleans ipasetup.py[co] but keeps __pycache__ and other pyc/pyo. add ```clean-local: rm -rf *.pyc *.pyc __pycache__``` - [ ] ```Makefile.python.am``` clean-local has ```-delete``` and ```-exec```. AFAIK only one action is supported. - [ ] neither clean nor distclean removes ```/dist``` and ```/rpmbuild``` - [ ] autoconf and automake files are not removed (Makefile.in, /config.sub ...) """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259371190 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3
URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 tiran commented: """ memo for me: - [ ] /freeipa*.tar.gz is not removed - [ ] ```MOSTLYCLEANFILES``` only cleans ipasetup.py[co] but keeps __pycache__ and other pyc/pyo. add ```clean-local: rm -rf *.pyc *.pyc __pycache__``` - [ ] ```Makefile.python.am``` clean-local has ```-delete``` and ```-exec```. AFAIK only one action is supported. - [ ] neither clean nor distclean removes ```/dist``` and ```/rpmbuild``` - [ ] autoconf and automake files are not removed (Makefile.in, /config.sub ...) - [] add ```ipasetup.py``` to ```dist_noinst_SCRIPTS``` ? """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259371190 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3
URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 tiran commented: """ memo for me: - [ ] /freeipa*.tar.gz is not removed - [ ] ```MOSTLYCLEANFILES``` only cleans ipasetup.py[co] but keeps __pycache__ and other pyc/pyo. add ```clean-local: rm -rf *.pyc *.pyc __pycache__``` - [ ] ```Makefile.python.am``` clean-local has ```-delete``` and ```-exec```. AFAIK only one action is supported. - [ ] neither clean nor distclean removes ```/dist``` and ```/rpmbuild``` - [ ] autoconf and automake files are not removed (Makefile.in, /config.sub ...) - [] add ```ipasetup.py``` to ```dist_noinst_SCRIPTS``` ? """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259371190 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#217][opened] change certificate processing code to use python-cryptography
URL: https://github.com/freeipa/freeipa/pull/217 Author: frasertweedale Title: #217: change certificate processing code to use python-cryptography Action: opened PR body: """ This commit changes certificate processing code to use python-cryptography instead of NSS. Part of the refactoring effort, certificates sub-effort. Reviewed at dkupka/freeipa:pull/1 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/217/head:pr217 git checkout pr217 From 48d4aa5be45ff73d7384d2aa004550f595ec6570 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 10 Oct 2016 16:08:52 +1000 Subject: [PATCH 1/7] dn: support conversion from python-cryptography Name The upcoming change to using python-cryptography for certificate process will require a way to convert ``cryptography.x509.name.Name`` values to ``ipapython.dn.DN``. Update the ``DN`` constructor to accept a ``Name``. Part of: https://fedorahosted.org/freeipa/ticket/6398 --- ipapython/dn.py| 43 -- ipatests/test_ipapython/test_dn.py | 23 ++-- 2 files changed, 62 insertions(+), 4 deletions(-) diff --git a/ipapython/dn.py b/ipapython/dn.py index 3ee35c6..682e0ca 100644 --- a/ipapython/dn.py +++ b/ipapython/dn.py @@ -422,6 +422,7 @@ import sys import functools +import cryptography.x509 from ldap.dn import str2dn, dn2str from ldap import DECODING_ERROR import six @@ -976,6 +977,8 @@ class DN(object): to yield one or more RDN's which will be appended in order to the DN. The parsing recognizes the DN syntax escaping rules. +* A single ``cryptography.x509.name.Name`` object. + * A RDN object, the RDN will copied respecting the constructors keyword configuration parameters and appended in order. @@ -1125,9 +1128,17 @@ def _rdns_from_value(self, value): rdns = [[ava]] elif isinstance(value, RDN): rdns = [value.to_openldap()] +elif isinstance(value, cryptography.x509.name.Name): +rdns = list(reversed([ +[get_ava( +_ATTR_NAME_BY_OID.get(ava.oid, ava.oid.dotted_string), +ava.value)] +for ava in value +])) else: -raise TypeError("must be str, unicode, tuple, or RDN or DN, got %s instead" % -type(value)) +raise TypeError( +"must be str, unicode, tuple, Name, RDN or DN, got %s instead" +% type(value)) return rdns def _rdns_from_sequence(self, seq): @@ -1407,3 +1418,31 @@ def rindex(self, pattern, start=None, end=None): if i == -1: raise ValueError("pattern not found") return i + + +_ATTR_NAME_BY_OID = { +cryptography.x509.oid.NameOID.COMMON_NAME: 'CN', +cryptography.x509.oid.NameOID.COUNTRY_NAME: 'C', +cryptography.x509.oid.NameOID.LOCALITY_NAME: 'L', +cryptography.x509.oid.NameOID.STATE_OR_PROVINCE_NAME: 'ST', +cryptography.x509.oid.NameOID.ORGANIZATION_NAME: 'O', +cryptography.x509.oid.NameOID.ORGANIZATIONAL_UNIT_NAME: 'OU', +cryptography.x509.oid.NameOID.SERIAL_NUMBER: 'serialNumber', +cryptography.x509.oid.NameOID.SURNAME: 'SN', +cryptography.x509.oid.NameOID.GIVEN_NAME: 'givenName', +cryptography.x509.oid.NameOID.TITLE: 'title', +cryptography.x509.oid.NameOID.GENERATION_QUALIFIER: 'generationQualifier', +cryptography.x509.oid.NameOID.DN_QUALIFIER: 'dnQualifier', +cryptography.x509.oid.NameOID.PSEUDONYM: 'pseudonym', +cryptography.x509.oid.NameOID.DOMAIN_COMPONENT: 'DC', +cryptography.x509.oid.NameOID.EMAIL_ADDRESS: 'E', +cryptography.x509.oid.NameOID.JURISDICTION_COUNTRY_NAME: +'incorporationCountry', +cryptography.x509.oid.NameOID.JURISDICTION_LOCALITY_NAME: +'incorporationLocality', +cryptography.x509.oid.NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME: +'incorporationState', +cryptography.x509.oid.NameOID.BUSINESS_CATEGORY: 'businessCategory', +cryptography.x509.ObjectIdentifier('2.5.4.9'): 'STREET', +cryptography.x509.ObjectIdentifier('0.9.2342.19200300.100.1.1'): 'UID', +} diff --git a/ipatests/test_ipapython/test_dn.py b/ipatests/test_ipapython/test_dn.py index a96bd33..3ca3b57 100644 --- a/ipatests/test_ipapython/test_dn.py +++ b/ipatests/test_ipapython/test_dn.py @@ -2,6 +2,7 @@ import unittest import pytest +from cryptography import x509 import six from ipapython.dn import DN, RDN, AVA @@ -621,7 +622,7 @@ class TestDN(unittest.TestCase): def setUp(self): # ava1 must sort before ava2 self.attr1= 'cn' -self.value1 = 'Bob' +self.value1 = u'Bob' self.str_ava1 = '%s=%s' % (self.attr1, self.value1) self.ava1 = AVA(self.attr1, self.value1) @@ -629,7 +630,7 @@ def setUp(self): self.rdn1 = RDN((self.attr1, self.value1))
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ Bump for review """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-259387372 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#218][opened] test_ipagetkeytab: use system-wide IPA CA cert location in tests
URL: https://github.com/freeipa/freeipa/pull/218 Author: martbab Title: #218: test_ipagetkeytab: use system-wide IPA CA cert location in tests Action: opened PR body: """ Since /etc/ipa/ca.crt should be always present on the test runner, we should use it in bind method tests and not rely on its presence in user conf dir. https://fedorahosted.org/freeipa/ticket/6409 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/218/head:pr218 git checkout pr218 From bf72528ff5ac3d37938eb39d5b5c0d995485c17c Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 9 Nov 2016 11:35:44 +0100 Subject: [PATCH] test_ipagetkeytab: use system-wide IPA CA cert location in tests Since /etc/ipa/ca.crt should be always present on the test runner, we should use it in bind method tests and not rely on its presence in user conf dir. https://fedorahosted.org/freeipa/ticket/6409 --- ipatests/test_cmdline/test_ipagetkeytab.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipatests/test_cmdline/test_ipagetkeytab.py b/ipatests/test_cmdline/test_ipagetkeytab.py index 25c31ea..2f74ae9 100644 --- a/ipatests/test_cmdline/test_ipagetkeytab.py +++ b/ipatests/test_cmdline/test_ipagetkeytab.py @@ -28,6 +28,7 @@ import pytest from ipalib import api +from ipaplatform.paths import paths from ipapython import ipautil, ipaldap from ipaserver.plugins.ldap2 import ldap2 from ipatests.test_cmdline.cmdline import cmdline_test @@ -211,7 +212,7 @@ def setup_class(cls): os.close(tempfd) -shutil.copy(os.path.join(api.env.confdir, 'ca.crt'), temp_ca_cert) +shutil.copy(os.path.join(paths.IPA_CA_CRT), temp_ca_cert) cls.ca_cert = temp_ca_cert -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3
URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 tiran commented: """ memo for me: - [ ] /freeipa*.tar.gz is not removed - [ ] ```MOSTLYCLEANFILES``` only cleans ipasetup.py[co] but keeps __pycache__ and other pyc/pyo. add ```clean-local: rm -rf *.pyc *.pyc __pycache__``` - [ ] ```Makefile.python.am``` clean-local has ```-delete``` and ```-exec```. AFAIK only one action is supported. - [ ] neither clean nor distclean removes ```/dist``` and ```/rpmbuild``` - [ ] autoconf and automake files are not removed (Makefile.in, /config.sub ...) - [x] add ```ipasetup.py``` to ```dist_noinst_SCRIPTS``` ? """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259371190 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#219][opened] Refactor installer code requesting certificates
URL: https://github.com/freeipa/freeipa/pull/219 Author: flo-renaud Title: #219: Refactor installer code requesting certificates Action: opened PR body: """ With this PR, the certificates requested during server installation are now consistently obtained through certmonger (applies to HTTP/LDAP and renew agent cert). https://fedorahosted.org/freeipa/ticket/6433 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/219/head:pr219 git checkout pr219 From 0c7835de813378b98a870bcc36c460b8c1717f09 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 8 Nov 2016 09:02:57 +0100 Subject: [PATCH 1/2] Use autobind instead of host keytab authentication in dogtag-ipa-ca-renew-agent This commit makes sure that dogtag-ipa-ca-renew-agent CA helper can be used before Kerberos is configured. --- install/certmonger/dogtag-ipa-ca-renew-agent-submit | 7 +-- 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index f2b15cf..14c48e4 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -85,7 +85,7 @@ def ldap_connect(): conn = None try: conn = ldap2(api) -conn.connect(ccache=os.environ['KRB5CCNAME']) +conn.connect(autobind=True) yield conn finally: if conn is not None and conn.isconnected(): @@ -484,11 +484,6 @@ def main(): tmpdir = tempfile.mkdtemp(prefix="tmp-") certs.renewal_lock.acquire() try: -principal = str('host/%s@%s' % (api.env.host, api.env.realm)) -ccache_filename = os.path.join(tmpdir, 'ccache') -os.environ['KRB5CCNAME'] = ccache_filename -ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) - profile = os.environ.get('CERTMONGER_CA_PROFILE') if profile: handler = handlers.get(profile, request_and_store_cert) From d927c638ffb1ce640e977fc61ebddec9fa20e163 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 25 Oct 2016 08:49:10 +0200 Subject: [PATCH 2/2] Refactor installer code requesting certificates - Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA agent cert, using the temp cert created during pkispawn. The cert request is now processed through certmonger, and the helper arguments are restored once the agent cert is obtained. - Modify the installer code creating HTTP and LDAP certificates to use certmonger's IPA helper with temporary parameters (calling dogtag-submit instead of ipa-submit) - Clean-up for the integration tests: sometimes ipa renewal.lock is not released during ipa-server-uninstall. Make sure that the file is removed to allow future installations. https://fedorahosted.org/freeipa/ticket/6433 --- .../certmonger/dogtag-ipa-ca-renew-agent-submit| 2 +- ipapython/certmonger.py| 65 +- ipaserver/install/cainstance.py| 217 ++--- ipaserver/install/certs.py | 12 -- ipaserver/install/dogtaginstance.py| 2 +- ipaserver/install/dsinstance.py| 38 +++- ipaserver/install/httpinstance.py | 37 +++- ipatests/test_integration/tasks.py | 1 + 8 files changed, 187 insertions(+), 187 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 14c48e4..1b5650a 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -171,7 +171,7 @@ def request_cert(): "Forwarding request to dogtag-ipa-renew-agent") path = paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT -args = [path] + sys.argv[1:] +args = [path] + sys.argv[1:] + ['--submit-option', "requestor_name=IPA"] if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert': args += ['-N', '-O', 'bypassCAnotafter=true'] result = ipautil.run(args, raiseonerr=False, env=os.environ, diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index 765f9e8..6f0948a 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -297,9 +297,27 @@ def add_subject(request_id, subject): add_request_value(request_id, 'template-subject', subject) +def request_and_wait_for_cert( +nssdb, nickname, subject, principal, passwd_fname=None, +dns=None, ca='IPA', profile=None, +pre_command=None, post_command=None): +""" +Execute certmonger to request a server certificate. + +The method also waits for the certificate to be available. +""" +reqId = request_cert(nssdb, nickname, subject, principal, + passwd_fname, dns, ca, profile, + pre_command, post_command) +s
[Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3
URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 pspacek commented: """ @tiran > add ipasetup.py to dist_noinst_SCRIPTS ? `ipasetup.py` file is auto-generated from `ipasetup.py.in` so it should not be part of distibution tarball. I've marked this item as "done". """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259391220 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#219][edited] Refactor installer code requesting certificates
URL: https://github.com/freeipa/freeipa/pull/219 Author: flo-renaud Title: #219: Refactor installer code requesting certificates Action: edited Changed field: body Original value: """ With this PR, the certificates requested during server installation are now consistently obtained through certmonger (applies to HTTP/LDAP and renew agent cert). https://fedorahosted.org/freeipa/ticket/6433 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#216][synchronized] libexec scripts: ldap conn management
URL: https://github.com/freeipa/freeipa/pull/216 Author: tomaskrizek Title: #216: libexec scripts: ldap conn management Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/216/head:pr216 git checkout pr216 From 8f4e1c5f3f90cc31ff4e853e0c228fad2d7e0d24 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 9 Nov 2016 09:52:28 +0100 Subject: [PATCH] libexec scripts: ldap conn management Certificate renewal scripts require connection to LDAP. Properly handle connects and disconnects from LDAP. https://fedorahosted.org/freeipa/ticket/6461 --- install/certmonger/dogtag-ipa-ca-renew-agent-submit | 3 +++ install/restart_scripts/renew_ca_cert | 2 ++ install/restart_scripts/renew_ra_cert | 2 ++ 3 files changed, 7 insertions(+) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index f2b15cf..6f5841e 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -476,6 +476,7 @@ def main(): api.bootstrap(in_server=True, context='renew') api.finalize() +api.Backend.ldap2.connect() operation = os.environ.get('CERTMONGER_OPERATION') if operation not in ('SUBMIT', 'POLL'): @@ -506,6 +507,8 @@ def main(): finally: certs.renewal_lock.release() shutil.rmtree(tmpdir) +api.Backend.ldap2.disconnect() + try: sys.exit(main()) diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 7b3c8bd..0f0a690 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -40,6 +40,7 @@ def _main(): api.bootstrap(in_server=True, context='restart') api.finalize() +api.Backend.ldap2.connect() dogtag_service = services.knownservices['pki_tomcatd'] @@ -182,6 +183,7 @@ def _main(): conn.disconnect() finally: shutil.rmtree(tmpdir) +api.Backend.ldap2.disconnect() # Now we can start the CA. Using the services start should fire # off the servlet to verify that the CA is actually up and responding so diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index 62c5aa6..d71d6e2 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -39,6 +39,7 @@ def _main(): api.bootstrap(in_server=True, context='restart') api.finalize() +api.Backend.ldap2.connect() tmpdir = tempfile.mkdtemp(prefix="tmp-") try: @@ -65,6 +66,7 @@ def _main(): krainstance.export_kra_agent_pem() finally: shutil.rmtree(tmpdir) +api.Backend.ldap2.disconnect() # Now restart Apache so the new certificate is available syslog.syslog(syslog.LOG_NOTICE, "Restarting httpd") -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3
URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 pspacek commented: """ @tiran I've tested the find command and it works. The trick is `-o` which acts like OR and allows you to specify different conditions and associate different actions to them. I'm going to check the checkbox as well :-) """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259392845 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3
URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 tiran commented: """ memo for me: - [ ] /freeipa*.tar.gz is not removed - [ ] ```MOSTLYCLEANFILES``` only cleans ipasetup.py[co] but keeps __pycache__ and other pyc/pyo. add ```clean-local: rm -rf *.pyc *.pyc __pycache__``` - [x] ```Makefile.python.am``` clean-local has ```-delete``` and ```-exec```. AFAIK only one action is supported. - [ ] neither clean nor distclean removes ```/dist``` and ```/rpmbuild``` - [ ] autoconf and automake files are not removed (Makefile.in, /config.sub ...) - [x] add ```ipasetup.py``` to ```dist_noinst_SCRIPTS``` ? """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259371190 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3
URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 mbasti-rh commented: """ ACK """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259399255 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#213][+ack] Build system refactoring phase 3
URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#213][closed] Build system refactoring phase 3
URL: https://github.com/freeipa/freeipa/pull/213 Author: pspacek Title: #213: Build system refactoring phase 3 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/213/head:pr213 git checkout pr213 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#213][+pushed] Build system refactoring phase 3
URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3
URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c48e5fd811326dc64e19490f88003e442815a052 https://fedorahosted.org/freeipa/changeset/0a17155e5b0434d4cab4d1696fac7f5ef88f0808 https://fedorahosted.org/freeipa/changeset/81da45ffb13d126c9b56a2022d88ba8bed2ee18c https://fedorahosted.org/freeipa/changeset/8de11b091fc705f235b1304fb101c27a82dcda6f https://fedorahosted.org/freeipa/changeset/3d6b8f8bdd5568c44d293cba960209941e4d2545 https://fedorahosted.org/freeipa/changeset/3a41b3bb8860cf73fef7efd54db2da5ecbd608d5 https://fedorahosted.org/freeipa/changeset/820fd4c7ce6ccc80272f45d6f64227567692dd39 https://fedorahosted.org/freeipa/changeset/24feae47f26f40f757fbdd711399128d88c9b62c https://fedorahosted.org/freeipa/changeset/b8d81ba3a12d93c38c4a0a8d439845746a32ae35 https://fedorahosted.org/freeipa/changeset/fa8a468dba0ed866497669bd9c08b7de3a2cfbe3 https://fedorahosted.org/freeipa/changeset/7282776c05c2fb254ae65b63977ba604be316038 https://fedorahosted.org/freeipa/changeset/2f6712893be5e66260a169c367a4607be6043d11 https://fedorahosted.org/freeipa/changeset/021a52d6801b74ded03cfdf6c7fb73bd1cab978f https://fedorahosted.org/freeipa/changeset/f95098b2b645a62497dc6e1d66be2b7397567d25 https://fedorahosted.org/freeipa/changeset/441acf7797b2069e8d9a123aa11bb33fd42d9187 https://fedorahosted.org/freeipa/changeset/24525fd086450616d4edd2aaf26dec868ff80ea9 https://fedorahosted.org/freeipa/changeset/b910683e19356390351a6b82240762969ecf89c0 https://fedorahosted.org/freeipa/changeset/04be25082c60da01552d5e7c73d12930b10bd02e https://fedorahosted.org/freeipa/changeset/deec97abaec933709718464c4aa233a04de1844a https://fedorahosted.org/freeipa/changeset/a125370becb045b6e757df88e520ef3f8ab4ca09 https://fedorahosted.org/freeipa/changeset/dabc65f6b1989fb8f938e4b7249fcf5d41706e17 https://fedorahosted.org/freeipa/changeset/886d9167eb939a3ab5226ca420c404a9810186cf https://fedorahosted.org/freeipa/changeset/c951a491a9082b8b5931782f45f82e251eb93c3c https://fedorahosted.org/freeipa/changeset/0d5fe1dba0459b09bc7518d34c58444c96435801 https://fedorahosted.org/freeipa/changeset/125bf25577e58d11252cb41d34065d49f581e0ac https://fedorahosted.org/freeipa/changeset/684a2c6a58b99a72f68e4c7f827d6601007cea26 https://fedorahosted.org/freeipa/changeset/4fb2f535ca73dd16738ce4a3b692931fb26227aa https://fedorahosted.org/freeipa/changeset/14bce67cf0cad1aecc132a2c67ad2dc686bcd2af https://fedorahosted.org/freeipa/changeset/c1652f92af6bea13ecd96c0ad7be38784e2faeb5 https://fedorahosted.org/freeipa/changeset/278cda7ede3777f61f31ec77199d02954512e133 https://fedorahosted.org/freeipa/changeset/53cd71a63c7d6ba97a5593e5a8922af71c5a4b6f https://fedorahosted.org/freeipa/changeset/74820fe3d8774244476357036406014680d54211 https://fedorahosted.org/freeipa/changeset/39b17ef2abd885ab87c1a39d3036f762b6b084c8 https://fedorahosted.org/freeipa/changeset/f229bb56b73487758ed9bd9c7f0a4cc74134992b https://fedorahosted.org/freeipa/changeset/312e780041fc9025ca3c189e6c9fcb54c7340714 https://fedorahosted.org/freeipa/changeset/8ffd3bdf142f0f852918186ce0a338a7818bbe8e https://fedorahosted.org/freeipa/changeset/d3cab75d7e79fbc89ef08df3e6d2b1e28b4ef163 https://fedorahosted.org/freeipa/changeset/a027bf739848371fa91b5ba9766e031c9003d322 https://fedorahosted.org/freeipa/changeset/288d624336d502a7df9856cdc2f6543b6e7c0b79 https://fedorahosted.org/freeipa/changeset/6cb0271509fe95ae38fc743f2a13faf32fe29a99 https://fedorahosted.org/freeipa/changeset/cc6382550fcf32bd4b843c922c10c5a5d247dd38 https://fedorahosted.org/freeipa/changeset/dc5699a8a40dd27ffd25d9ad3185ba40d93ec95b https://fedorahosted.org/freeipa/changeset/4ce3aa3b12004ca4eb29e4bbca415a585fbd432f https://fedorahosted.org/freeipa/changeset/75a944e980c64061e51f4ec7215033c118f39863 https://fedorahosted.org/freeipa/changeset/fee9bbd85afeac3593abd791de2d002bed300c8e https://fedorahosted.org/freeipa/changeset/2df98772556de0d964028bbb78a9efbdd13ecd40 https://fedorahosted.org/freeipa/changeset/14c1c8dfd0aa894af2d60dfa4f2ce2510d791328 https://fedorahosted.org/freeipa/changeset/f31a489d246e01250536b7187225fb7ca6398ba5 https://fedorahosted.org/freeipa/changeset/b54e9e86dfaed1320f7ccce560f82c233f67bf1a https://fedorahosted.org/freeipa/changeset/e3b537af18afa03b1f04530b42cdba5c1fc3ff97 https://fedorahosted.org/freeipa/changeset/4498998f1763d673056423a73d3b3ff22f94954f https://fedorahosted.org/freeipa/changeset/c0674e89d1e6b5abd82cf3b7bf8054eec0fa6418 """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259400321 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Build system refactoring was pushed to master
Hi FreeIPA gang, we just pushed Build system refactoring to master. Most visible change is that you need to use command "./makerpms.sh" instead of "make rpms" when building FreeIPA from clean Git tree. "make rpms" will work as usual after initial autoreconf -i && ./configure combo so this affects only the very first build. Page http://www.freeipa.org/page/Build was updated with other changes as well, most notably file VERSION was renamed to VERSION.m4. Other details are mentioned in design document http://www.freeipa.org/page/V4/Build_system_refactoring and pull request: https://github.com/freeipa/freeipa/pull/213 Let me know if you encounter any issues! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#195][edited] [WIP] Make ipaclient pip install-able
URL: https://github.com/freeipa/freeipa/pull/195 Author: tiran Title: #195: [WIP] Make ipaclient pip install-able Action: edited Changed field: body Original value: """ ## proof of concept This makes ipaclient and dependencies pip install-able by adding install requirements to all `setup.py`. A new make target `bdist_wheel` creates wheel distributions. ## example ``` $ make bdist_wheel $ cp ../custodia/dist/custodia-0.2-py2.py3-none-any.whl dist/ $ virtualenv /tmp/ipaenv New python executable in /tmp/ipaenv/bin/python2 Also creating executable in /tmp/ipaenv/bin/python Installing setuptools, pip, wheel...done. $ /tmp/ipaenv/bin/pip install dist/*.whl Processing ./dist/custodia-0.2-py2.py3-none-any.whl Processing ./dist/ipaclient-4.4.90.201610271437GITd812266-py2.py3-none-any.whl Processing ./dist/ipalib-4.4.90.201610271437GITd812266-py2.py3-none-any.whl Processing ./dist/ipaplatform-4.4.90.201610271437GITd812266-py2.py3-none-any.whl Processing ./dist/ipapython-4.4.90.201610271437GITd812266-py2.py3-none-any.whl ... Installing collected packages: configparser, requests, six, idna, pycparser, cffi, pyasn1, enum34, ipaddress, cryptography, jwcrypto, custodia, qrcode, python-nss, ipaplatform, netaddr, lxml, pyldap, netifaces, decorator, gssapi, dnspython, ipapython, ipalib, ipaclient Running setup.py install for python-nss ... done Successfully installed cffi-1.8.3 configparser-3.5.0 cryptography-1.5.2 custodia-0.2 decorator-4.0.10 dnspython-1.15.0 enum34-1.1.6 gssapi-1.2.0 idna-2.1 ipaclient-4.4.90.201610271437GITd812266 ipaddress-1.0.17 ipalib-4.4.90.201610271437GITd812266 ipaplatform-4.4.90.201610271437GITd812266 ipapython-4.4.90.201610271437GITd812266 jwcrypto-0.3.1 lxml-3.6.4 netaddr-0.7.18 netifaces-0.10.5 pyasn1-0.1.9 pycparser-2.16 pyldap-2.4.25.1 python-nss-1.0.0 qrcode-5.3 requests-2.11.1 six-1.10.0 ``` ## open problems - [ ] Custodia is not yet released on PyPI (to be released soon) - [ ] dependencies are duplicated in setup.py and RPM spec - [ ] ipaplatform hard-codes the distribution on build time """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#216][comment] libexec scripts: ldap conn management
URL: https://github.com/freeipa/freeipa/pull/216 Title: #216: libexec scripts: ldap conn management flo-renaud commented: """ Thanks for the update. Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/216#issuecomment-259406309 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#216][+ack] libexec scripts: ldap conn management
URL: https://github.com/freeipa/freeipa/pull/216 Title: #216: libexec scripts: ldap conn management Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#220][opened] Build: fix make clean to remove build artifacts from top-level directory
URL: https://github.com/freeipa/freeipa/pull/220 Author: pspacek Title: #220: Build: fix make clean to remove build artifacts from top-level directory Action: opened PR body: """ make lint and make dist were generating files which were not removed by make clean. https://fedorahosted.org/freeipa/ticket/6418 This fixed some of missing checkboxes in #213. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/220/head:pr220 git checkout pr220 From e2688d927ce136bef16a181a534989363e012747 Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Wed, 9 Nov 2016 13:34:04 +0100 Subject: [PATCH] Build: fix make clean to remove build artifacts from top-level directory make lint and make dist were generating files which were not removed by make clean. https://fedorahosted.org/freeipa/ticket/6418 --- Makefile.am | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index ffa5de2..031aef4 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,6 +1,11 @@ SUBDIRS = asn1 util client contrib daemons init install ipaclient ipalib ipaplatform ipapython ipaserver ipatests po -MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo +MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ + ignore_import_errors.pyc ignore_import_errors.pyo \ + ipasetup.pyc ipasetup.pyo \ + lite-server.pyc lite-server.pyo \ + pylint_plugins.pyc pylint_plugins.pyo \ + $(TARBALL) # user-facing scripts dist_bin_SCRIPTS = ipa @@ -25,6 +30,11 @@ EXTRA_DIST = .mailmap \ pylintrc \ pytest.ini +clean-local: + rm -rf "$(RPMBUILD)" + rm -rf "$(top_builddir)/dist" + rm -rf "$(top_srcdir)/__pycache__" + # convenience targets for RPM build RPMBUILD ?= $(abs_builddir)/rpmbuild TARBALL = $(PACKAGE)-$(VERSION).tar.gz -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3
URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 pspacek commented: """ @tiran > autoconf and automake files are not removed (Makefile.in, /config.sub ...) According to [Automake manual section 13 What Gets Cleaned](https://www.gnu.org/software/automake/manual/html_node/Clean.html) we must not remove files necessary for `./configure`. As far as I can tell from testing, make distclean + PR #220 leaves behind only files generated by `autoreconf` so we should not remove any of them. It would prevent users from running `configure` again. """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259409721 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3
URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 pspacek commented: """ @tiran > autoconf and automake files are not removed (Makefile.in, /config.sub ...) According to [Automake manual section 13 What Gets Cleaned](https://www.gnu.org/software/automake/manual/html_node/Clean.html) we must not remove files necessary for `./configure`. As far as I can tell from testing, make distclean + PR #220 leaves behind only files generated by `autoreconf` so we should not remove any of them. It would prevent users from running `configure` again. """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259409721 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#213][comment] Build system refactoring phase 3
URL: https://github.com/freeipa/freeipa/pull/213 Title: #213: Build system refactoring phase 3 tiran commented: """ memo for me: - [ ] /freeipa*.tar.gz is not removed - [ ] ```MOSTLYCLEANFILES``` only cleans ipasetup.py[co] but keeps __pycache__ and other pyc/pyo. add ```clean-local: rm -rf *.pyc *.pyc __pycache__``` - [x] ```Makefile.python.am``` clean-local has ```-delete``` and ```-exec```. AFAIK only one action is supported. - [ ] neither clean nor distclean removes ```/dist``` and ```/rpmbuild``` - [ ] autoconf and automake files are not removed (Makefile.in, /config.sub ...) - [x] add ```ipasetup.py``` to ```dist_noinst_SCRIPTS``` ? """ See the full comment at https://github.com/freeipa/freeipa/pull/213#issuecomment-259371190 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#195][edited] [WIP] Make ipaclient pip install-able
URL: https://github.com/freeipa/freeipa/pull/195 Author: tiran Title: #195: [WIP] Make ipaclient pip install-able Action: edited Changed field: body Original value: """ ## proof of concept This makes ipaclient and dependencies pip install-able by adding install requirements to all `setup.py`. A new make target `bdist_wheel` creates wheel distributions. ## example ``` $ make bdist_wheel $ cp ../custodia/dist/custodia-0.2-py2.py3-none-any.whl dist/ $ virtualenv /tmp/ipaenv New python executable in /tmp/ipaenv/bin/python2 Also creating executable in /tmp/ipaenv/bin/python Installing setuptools, pip, wheel...done. $ /tmp/ipaenv/bin/pip install dist/*.whl Processing ./dist/custodia-0.2-py2.py3-none-any.whl Processing ./dist/ipaclient-4.4.90.201610271437GITd812266-py2.py3-none-any.whl Processing ./dist/ipalib-4.4.90.201610271437GITd812266-py2.py3-none-any.whl Processing ./dist/ipaplatform-4.4.90.201610271437GITd812266-py2.py3-none-any.whl Processing ./dist/ipapython-4.4.90.201610271437GITd812266-py2.py3-none-any.whl ... Installing collected packages: configparser, requests, six, idna, pycparser, cffi, pyasn1, enum34, ipaddress, cryptography, jwcrypto, custodia, qrcode, python-nss, ipaplatform, netaddr, lxml, pyldap, netifaces, decorator, gssapi, dnspython, ipapython, ipalib, ipaclient Running setup.py install for python-nss ... done Successfully installed cffi-1.8.3 configparser-3.5.0 cryptography-1.5.2 custodia-0.2 decorator-4.0.10 dnspython-1.15.0 enum34-1.1.6 gssapi-1.2.0 idna-2.1 ipaclient-4.4.90.201610271437GITd812266 ipaddress-1.0.17 ipalib-4.4.90.201610271437GITd812266 ipaplatform-4.4.90.201610271437GITd812266 ipapython-4.4.90.201610271437GITd812266 jwcrypto-0.3.1 lxml-3.6.4 netaddr-0.7.18 netifaces-0.10.5 pyasn1-0.1.9 pycparser-2.16 pyldap-2.4.25.1 python-nss-1.0.0 qrcode-5.3 requests-2.11.1 six-1.10.0 ``` ## open problems - [x] Custodia is not yet released on PyPI (to be released soon) - [ ] dependencies are duplicated in setup.py and RPM spec - [ ] ipaplatform hard-codes the distribution on build time """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#217][synchronized] change certificate processing code to use python-cryptography
URL: https://github.com/freeipa/freeipa/pull/217 Author: frasertweedale Title: #217: change certificate processing code to use python-cryptography Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/217/head:pr217 git checkout pr217 From a32a6b2129e12305134bced7e2880bf08220ca81 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 10 Oct 2016 16:08:52 +1000 Subject: [PATCH 1/7] dn: support conversion from python-cryptography Name The upcoming change to using python-cryptography for certificate process will require a way to convert ``cryptography.x509.name.Name`` values to ``ipapython.dn.DN``. Update the ``DN`` constructor to accept a ``Name``. Part of: https://fedorahosted.org/freeipa/ticket/6398 --- ipapython/dn.py| 44 -- ipatests/test_ipapython/test_dn.py | 23 ++-- 2 files changed, 63 insertions(+), 4 deletions(-) diff --git a/ipapython/dn.py b/ipapython/dn.py index 3ee35c6..2f7655d 100644 --- a/ipapython/dn.py +++ b/ipapython/dn.py @@ -422,6 +422,7 @@ import sys import functools +import cryptography.x509 from ldap.dn import str2dn, dn2str from ldap import DECODING_ERROR import six @@ -976,6 +977,8 @@ class DN(object): to yield one or more RDN's which will be appended in order to the DN. The parsing recognizes the DN syntax escaping rules. +* A single ``cryptography.x509.name.Name`` object. + * A RDN object, the RDN will copied respecting the constructors keyword configuration parameters and appended in order. @@ -1125,9 +1128,17 @@ def _rdns_from_value(self, value): rdns = [[ava]] elif isinstance(value, RDN): rdns = [value.to_openldap()] +elif isinstance(value, cryptography.x509.name.Name): +rdns = list(reversed([ +[get_ava( +_ATTR_NAME_BY_OID.get(ava.oid, ava.oid.dotted_string), +ava.value)] +for ava in value +])) else: -raise TypeError("must be str, unicode, tuple, or RDN or DN, got %s instead" % -type(value)) +raise TypeError( +"must be str, unicode, tuple, Name, RDN or DN, got %s instead" +% type(value)) return rdns def _rdns_from_sequence(self, seq): @@ -1407,3 +1418,32 @@ def rindex(self, pattern, start=None, end=None): if i == -1: raise ValueError("pattern not found") return i + + +_ATTR_NAME_BY_OID = { +cryptography.x509.oid.NameOID.COMMON_NAME: 'CN', +cryptography.x509.oid.NameOID.COUNTRY_NAME: 'C', +cryptography.x509.oid.NameOID.LOCALITY_NAME: 'L', +cryptography.x509.oid.NameOID.STATE_OR_PROVINCE_NAME: 'ST', +cryptography.x509.oid.NameOID.ORGANIZATION_NAME: 'O', +cryptography.x509.oid.NameOID.ORGANIZATIONAL_UNIT_NAME: 'OU', +cryptography.x509.oid.NameOID.SERIAL_NUMBER: 'serialNumber', +cryptography.x509.oid.NameOID.SURNAME: 'SN', +cryptography.x509.oid.NameOID.GIVEN_NAME: 'givenName', +cryptography.x509.oid.NameOID.TITLE: 'title', +cryptography.x509.oid.NameOID.GENERATION_QUALIFIER: 'generationQualifier', +cryptography.x509.oid.NameOID.DN_QUALIFIER: 'dnQualifier', +cryptography.x509.oid.NameOID.PSEUDONYM: 'pseudonym', +cryptography.x509.oid.NameOID.DOMAIN_COMPONENT: 'DC', +cryptography.x509.oid.NameOID.EMAIL_ADDRESS: 'E', +cryptography.x509.oid.NameOID.JURISDICTION_COUNTRY_NAME: +'incorporationCountry', +cryptography.x509.oid.NameOID.JURISDICTION_LOCALITY_NAME: +'incorporationLocality', +cryptography.x509.oid.NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME: +'incorporationState', +cryptography.x509.oid.NameOID.BUSINESS_CATEGORY: 'businessCategory', +cryptography.x509.ObjectIdentifier('2.5.4.9'): 'STREET', +cryptography.x509.ObjectIdentifier('2.5.4.17'): 'postalCode', +cryptography.x509.ObjectIdentifier('0.9.2342.19200300.100.1.1'): 'UID', +} diff --git a/ipatests/test_ipapython/test_dn.py b/ipatests/test_ipapython/test_dn.py index a96bd33..3ca3b57 100644 --- a/ipatests/test_ipapython/test_dn.py +++ b/ipatests/test_ipapython/test_dn.py @@ -2,6 +2,7 @@ import unittest import pytest +from cryptography import x509 import six from ipapython.dn import DN, RDN, AVA @@ -621,7 +622,7 @@ class TestDN(unittest.TestCase): def setUp(self): # ava1 must sort before ava2 self.attr1= 'cn' -self.value1 = 'Bob' +self.value1 = u'Bob' self.str_ava1 = '%s=%s' % (self.attr1, self.value1) self.ava1 = AVA(self.attr1, self.value1) @@ -629,7 +630,7 @@ def setUp(self): self.rdn1 = RDN((self.attr1, self.value1)) self.attr2= 'ou' -self.value2 = 'people' +self.value2 = u'people' self.str_ava2 = '%s=%s'
[Freeipa-devel] [freeipa PR#217][comment] change certificate processing code to use python-cryptography
URL: https://github.com/freeipa/freeipa/pull/217 Title: #217: change certificate processing code to use python-cryptography frasertweedale commented: """ The travis-ci failure is due to two minor pep8 violations, which I intend :) """ See the full comment at https://github.com/freeipa/freeipa/pull/217#issuecomment-259422303 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#216][comment] libexec scripts: ldap conn management
URL: https://github.com/freeipa/freeipa/pull/216 Title: #216: libexec scripts: ldap conn management mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/33f7b8dc32bc95e0db067ac4df49807ee2b5120e """ See the full comment at https://github.com/freeipa/freeipa/pull/216#issuecomment-259428015 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#216][closed] libexec scripts: ldap conn management
URL: https://github.com/freeipa/freeipa/pull/216 Author: tomaskrizek Title: #216: libexec scripts: ldap conn management Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/216/head:pr216 git checkout pr216 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#216][+pushed] libexec scripts: ldap conn management
URL: https://github.com/freeipa/freeipa/pull/216 Title: #216: libexec scripts: ldap conn management Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#218][comment] test_ipagetkeytab: use system-wide IPA CA cert location in tests
URL: https://github.com/freeipa/freeipa/pull/218 Title: #218: test_ipagetkeytab: use system-wide IPA CA cert location in tests pspacek commented: """ Jenkins tests now pass. """ See the full comment at https://github.com/freeipa/freeipa/pull/218#issuecomment-259439106 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#218][+ack] test_ipagetkeytab: use system-wide IPA CA cert location in tests
URL: https://github.com/freeipa/freeipa/pull/218 Title: #218: test_ipagetkeytab: use system-wide IPA CA cert location in tests Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#221][opened] gitignore: ignore tar ball
URL: https://github.com/freeipa/freeipa/pull/221 Author: tomaskrizek Title: #221: gitignore: ignore tar ball Action: opened PR body: """ Add tar ball generated by build to gitignore. https://fedorahosted.org/freeipa/ticket/6418 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/221/head:pr221 git checkout pr221 From 1cc48844326d93b29ef0624001d5529526bfbd51 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 9 Nov 2016 16:20:56 +0100 Subject: [PATCH] gitignore: ignore tar ball Add tar ball generated by build to gitignore. https://fedorahosted.org/freeipa/ticket/6418 --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 397ae92..e1a42d6 100644 --- a/.gitignore +++ b/.gitignore @@ -27,6 +27,7 @@ libtool build/ compile test-driver +freeipa-*.tar.gz # Python compilation *.pyc -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
On 11/09/2016 04:34 PM, Milan KubĂk wrote: On 11/03/2016 04:56 PM, Oleg Fayans wrote: Hi Martin, The commit message was updated with the correct ticket link Thanks for review! On 11/03/2016 04:22 PM, Martin Basti wrote: almost ACK, but the ticket in commit message is closed as invalid. So I'm quite puzzled now what to do. On 03.11.2016 13:28, Oleg Fayans wrote: ping for review On 10/19/2016 04:54 PM, Oleg Fayans wrote: Hi Martin, Thanks for the review. Fixed both issues. $ ipa-run-tests test_integration/test_topology.py -k TestCASpecificRUVs WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts = platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 5 items test_integration/test_topology.py .. 2 passed in 2444.84 seconds = On 10/17/2016 07:05 PM, Martin Basti wrote: 1) you don't need to disable/enable dirsrv, just stop/start. Please remove disable/enable parts 2) traceback self = def test_delete_ruvs(self): """ http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/ Test_Plan#Test_case:_clean-ruv_subcommand """ replica = self.replicas[0] master = self.master res1 = master.run_command(['ipa-replica-manage', 'list-ruv', '-p', master.config.dirman_password]) assert(res1.stdout_text.count(replica.hostname) == 2 and "Certificate Server Replica Update Vectors" in res1), ( "CA-specific RUVs are not displayed") E TypeError: argument of type 'SSHCommand' is not iterable test_integration/test_topology.py:215: TypeError entering PDB /usr/lib/python2.7/site-packages/ipatests/test_integration/test_topology.py(215)test_delete_ruvs() -> assert(res1.stdout_text.count(replica.hostname) == 2 and On 14.10.2016 11:36, Oleg Fayans wrote: Right you are! I am sorry. On 10/13/2016 06:10 PM, Martin Basti wrote: I think that you forgot to squash commits. Patch 47 doesn't apply On 13.10.2016 14:01, Oleg Fayans wrote: Hi Martin, Thanks for the review. With disabling directory server it works as well, thanks for the hint. Also I moved the cleanup logic to the test itself for the sake of simplicity. Patch-0048 was not changed On 10/12/2016 02:35 PM, Martin Basti wrote: 1) Can you just turn off dirsrv on replica instead of doing iptables magic? 2) NACK No more eval() ever in code, use 'getattr', 'get' or whatever in the object that can be used. +evalhost = eval("args[0].%s" % host) Martin^2 On 12.10.2016 14:03, Oleg Fayans wrote: Hi Martin, After extensive discussion with Ludwig, I finally got the clue on how does this feature work. When we uninstall the replica, the master cleans the replication agreements with this replica and automatically cleans all replica's RUVs. If we clean replica's RUVs on master without uninstalling the replica, the replica's RUVs get recreated on master (replication works!). So, the only way to test the clean-ruv subcommand is to turn off the replica, or block the traffic on it so it gets inaccessible to updates from master. The testcases were updated, see [1] and [2] The updated versions of the patches are attached [1] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs [2] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand On 08/05/2016 06:36 PM, Martin Basti wrote: On 03.08.2016 14:45, Oleg Fayans wrote: Hi Martin, Thanks for the review! Both patches were updated. On 07/28/2016 04:11 PM, Martin Basti wrote: On 08.07.2016 15:41, Oleg Fayans wrote: Hi Martin, Thanks for the review! On 07/08/2016 02:18 PM, Martin Basti wrote: On 27.06.2016 13:53, Oleg Fayans wrote: Hi guys, Is there a chance the patches NN 0047.1 and 0048.1 get reviewed before 4.4 release? They cover a good part of the Managed Topology 4.4 feature. On 06/17/2016 11:18 AM, Oleg Fayans wrote: One more test was added to the patch-0048 On 06/17/2016 09:43 AM, Oleg Fayans wrote: Fixed a bug in the previous patch, automated 2 more testcases from http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan On 06/16/2016 04:46 PM, Oleg Fayan
[Freeipa-devel] [freeipa PR#218][closed] test_ipagetkeytab: use system-wide IPA CA cert location in tests
URL: https://github.com/freeipa/freeipa/pull/218 Author: martbab Title: #218: test_ipagetkeytab: use system-wide IPA CA cert location in tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/218/head:pr218 git checkout pr218 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#218][+pushed] test_ipagetkeytab: use system-wide IPA CA cert location in tests
URL: https://github.com/freeipa/freeipa/pull/218 Title: #218: test_ipagetkeytab: use system-wide IPA CA cert location in tests Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#218][comment] test_ipagetkeytab: use system-wide IPA CA cert location in tests
URL: https://github.com/freeipa/freeipa/pull/218 Title: #218: test_ipagetkeytab: use system-wide IPA CA cert location in tests martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/3ecda74d14066f6609d72422041bcc0c6499de77 """ See the full comment at https://github.com/freeipa/freeipa/pull/218#issuecomment-259444757 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
On 11/03/2016 04:56 PM, Oleg Fayans wrote: Hi Martin, The commit message was updated with the correct ticket link Thanks for review! On 11/03/2016 04:22 PM, Martin Basti wrote: almost ACK, but the ticket in commit message is closed as invalid. So I'm quite puzzled now what to do. On 03.11.2016 13:28, Oleg Fayans wrote: ping for review On 10/19/2016 04:54 PM, Oleg Fayans wrote: Hi Martin, Thanks for the review. Fixed both issues. $ ipa-run-tests test_integration/test_topology.py -k TestCASpecificRUVs WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts = platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 5 items test_integration/test_topology.py .. 2 passed in 2444.84 seconds = On 10/17/2016 07:05 PM, Martin Basti wrote: 1) you don't need to disable/enable dirsrv, just stop/start. Please remove disable/enable parts 2) traceback self = def test_delete_ruvs(self): """ http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/ Test_Plan#Test_case:_clean-ruv_subcommand """ replica = self.replicas[0] master = self.master res1 = master.run_command(['ipa-replica-manage', 'list-ruv', '-p', master.config.dirman_password]) assert(res1.stdout_text.count(replica.hostname) == 2 and "Certificate Server Replica Update Vectors" in res1), ( "CA-specific RUVs are not displayed") E TypeError: argument of type 'SSHCommand' is not iterable test_integration/test_topology.py:215: TypeError entering PDB /usr/lib/python2.7/site-packages/ipatests/test_integration/test_topology.py(215)test_delete_ruvs() -> assert(res1.stdout_text.count(replica.hostname) == 2 and On 14.10.2016 11:36, Oleg Fayans wrote: Right you are! I am sorry. On 10/13/2016 06:10 PM, Martin Basti wrote: I think that you forgot to squash commits. Patch 47 doesn't apply On 13.10.2016 14:01, Oleg Fayans wrote: Hi Martin, Thanks for the review. With disabling directory server it works as well, thanks for the hint. Also I moved the cleanup logic to the test itself for the sake of simplicity. Patch-0048 was not changed On 10/12/2016 02:35 PM, Martin Basti wrote: 1) Can you just turn off dirsrv on replica instead of doing iptables magic? 2) NACK No more eval() ever in code, use 'getattr', 'get' or whatever in the object that can be used. +evalhost = eval("args[0].%s" % host) Martin^2 On 12.10.2016 14:03, Oleg Fayans wrote: Hi Martin, After extensive discussion with Ludwig, I finally got the clue on how does this feature work. When we uninstall the replica, the master cleans the replication agreements with this replica and automatically cleans all replica's RUVs. If we clean replica's RUVs on master without uninstalling the replica, the replica's RUVs get recreated on master (replication works!). So, the only way to test the clean-ruv subcommand is to turn off the replica, or block the traffic on it so it gets inaccessible to updates from master. The testcases were updated, see [1] and [2] The updated versions of the patches are attached [1] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs [2] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand On 08/05/2016 06:36 PM, Martin Basti wrote: On 03.08.2016 14:45, Oleg Fayans wrote: Hi Martin, Thanks for the review! Both patches were updated. On 07/28/2016 04:11 PM, Martin Basti wrote: On 08.07.2016 15:41, Oleg Fayans wrote: Hi Martin, Thanks for the review! On 07/08/2016 02:18 PM, Martin Basti wrote: On 27.06.2016 13:53, Oleg Fayans wrote: Hi guys, Is there a chance the patches NN 0047.1 and 0048.1 get reviewed before 4.4 release? They cover a good part of the Managed Topology 4.4 feature. On 06/17/2016 11:18 AM, Oleg Fayans wrote: One more test was added to the patch-0048 On 06/17/2016 09:43 AM, Oleg Fayans wrote: Fixed a bug in the previous patch, automated 2 more testcases from http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan On 06/16/2016 04:46 PM, Oleg Fayans wrote: IIUC, this will turn off the
[Freeipa-devel] [freeipa PR#222][opened] Fix ipa-replica-install when upgrade from ca-less to ca-full
URL: https://github.com/freeipa/freeipa/pull/222 Author: flo-renaud Title: #222: Fix ipa-replica-install when upgrade from ca-less to ca-full Action: opened PR body: """ When ipa-replica-prepare is run on a master upgraded from CA-less to CA-full, it creates the replica file with a copy of the local /etc/ipa/ca.crt. This causes issues if this file hasn't been updated with ipa-certupdate, as it contains the external CA that signed http/ldap certs, but not the newly installed IPA CA. As a consequence, ipa-replica-install fails with "Could not find a CA cert". The fix consists in retrieving the CA certificates from LDAP instead of the local /etc/ipa/ca.crt. https://fedorahosted.org/freeipa/ticket/6375 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/222/head:pr222 git checkout pr222 From 1e59de3b6dbe573e0de19d8366da3632f281b422 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Wed, 9 Nov 2016 15:14:27 +0100 Subject: [PATCH] Fix ipa-replica-install when upgrade from ca-less to ca-full When ipa-replica-prepare is run on a master upgraded from CA-less to CA-full, it creates the replica file with a copy of the local /etc/ipa/ca.crt. This causes issues if this file hasn't been updated with ipa-certupdate, as it contains the external CA that signed http/ldap certs, but not the newly installed IPA CA. As a consequence, ipa-replica-install fails with "Could not find a CA cert". The fix consists in retrieving the CA certificates from LDAP instead of the local /etc/ipa/ca.crt. https://fedorahosted.org/freeipa/ticket/6375 --- ipaserver/install/ipa_replica_prepare.py | 15 ++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index e6699d8..c1dc8a3 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -40,6 +40,7 @@ from ipapython.dn import DN from ipapython import version from ipalib import api +from ipalib import certstore, x509 from ipalib import errors from ipaplatform.paths import paths from ipalib.constants import CACERT, DOMAIN_LEVEL_0 @@ -361,6 +362,7 @@ def run(self): if options.setup_pkinit: self.copy_pkinit_certificate() +self.retrieve_ca_certs() self.copy_misc_files() self.save_config() @@ -448,12 +450,23 @@ def copy_pkinit_certificate(self): def copy_misc_files(self): self.log.info("Copying additional files") -self.copy_info_file(CACERT, "ca.crt") cacert_filename = paths.CACERT_PEM if ipautil.file_exists(cacert_filename): self.copy_info_file(cacert_filename, "cacert.pem") self.copy_info_file(paths.IPA_DEFAULT_CONF, "default.conf") +def retrieve_ca_certs(self): +self.log.info("Retrieving CA certificates") +ca_certs = certstore.get_ca_certs(api.Backend.ldap2, api.env.basedn, + api.env.realm, False) +certs = (c[0] for c in ca_certs if c[2] is not False) +dest = os.path.join(self.dir, "ca.crt") +try: +x509.write_certificate_list(certs, dest) +except Exception as e: +raise admintool.ScriptError( +"File creation {0} failed: {1}".format(dest, e)) + def save_config(self): self.log.info("Finalizing configuration") -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On 10/25/2016 10:24 AM, Oleg Fayans wrote: Integration part of the tests is ready. 2 tests: 1. Adds a cert to idoverride of a windows user 2. sssd part - looks up user by his certificate using dbus-sssd Second and third dbus call are executed as a string insted of as array of strings because it just does not work otherwise. Some quote escaping gets screwed probably, but the system returns "Error org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the command is executed using the standard array-based approach The run looks like this: bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 2 items test_integration/test_idviews.py .. 2 passed in 948.44 seconds = On 10/21/2016 10:54 AM, Oleg Fayans wrote: Added one more test, resolved the pep8 issues On 10/19/2016 12:32 PM, Oleg Fayans wrote: Hi Martin, As you suggested, I've extended the test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs in idoverrides. The integration part still needs some polishing in the part related to user lookup by cert On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/
[Freeipa-devel] [freeipa PR#223][opened] LDAP refactoring: remove admin_conn
URL: https://github.com/freeipa/freeipa/pull/223 Author: tomaskrizek Title: #223: LDAP refactoring: remove admin_conn Action: opened PR body: """ This first commit removes the admin_conn alias for api.Backend.ldap2 that was previously used in services. When trying to get rid of it, I found some legacy code in ipa-server-upgrade. The second commit improves ldap connection management in upgrade and removes useless start and stops of directory server at random places. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/223/head:pr223 git checkout pr223 From 989c669a6801b6658399eb4dc37d72b6f8627acc Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 9 Nov 2016 12:53:14 +0100 Subject: [PATCH 1/2] services: replace admin_conn with api.Backend.ldap2 Since service.admin_conn is only an alias to api.Backend.ldap2, replace it everywhere with the explicit api.Backend.ldap2 instead. https://fedorahosted.org/freeipa/ticket/6461 --- install/tools/ipa-adtrust-install| 6 +-- ipaserver/install/adtrustinstance.py | 79 +--- ipaserver/install/bindinstance.py| 10 ++-- ipaserver/install/cainstance.py | 22 - ipaserver/install/dnskeysyncinstance.py | 6 +-- ipaserver/install/dogtaginstance.py | 16 +++ ipaserver/install/dsinstance.py | 24 +- ipaserver/install/httpinstance.py| 9 ++-- ipaserver/install/kra.py | 7 +-- ipaserver/install/krbinstance.py | 13 +++--- ipaserver/install/odsexporterinstance.py | 4 +- ipaserver/install/opendnssecinstance.py | 6 +-- ipaserver/install/service.py | 44 -- 13 files changed, 123 insertions(+), 123 deletions(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 8eed519..8b75d5c 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -411,7 +411,7 @@ def main(): try: # Search only masters which have support for domain levels # because only these masters will have SSSD recent enough to support AD trust agents -entries_m, _truncated = smb.admin_conn.find_entries( +entries_m, _truncated = api.Backend.ldap2.find_entries( filter="(&(objectclass=ipaSupportedDomainLevelConfig)(ipaMaxDomainLevel=*)(ipaMinDomainLevel=*))", base_dn=masters_dn, attrs_list=['cn'], scope=ldap.SCOPE_ONELEVEL) except errors.NotFound: @@ -421,7 +421,7 @@ def main(): print(unicode(e)) try: - entries_a, _truncated = smb.admin_conn.find_entries( + entries_a, _truncated = api.Backend.ldap2.find_entries( filter="", base_dn=agents_dn, attrs_list=['member'], scope=ldap.SCOPE_BASE) except errors.NotFound: @@ -470,7 +470,7 @@ def main(): # Add the CIFS and host principals to the 'adtrust agents' group # as 389-ds only operates with GroupOfNames, we have to use # the principal's proper dn as defined in self.cifs_agent -service.add_principals_to_group(smb.admin_conn, agents_dn, "member", +service.add_principals_to_group(api.Backend.ldap2, agents_dn, "member", [x[1] for x in new_agents]) print(""" WARNING: you MUST restart (e.g. ipactl restart) the following IPA masters in order diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 7ccd302..2757037 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -207,7 +207,7 @@ def __add_admin_sids(self): admin_group_dn = DN(('cn', 'admins'), api.env.container_group, self.suffix) try: -dom_entry = self.admin_conn.get_entry(self.smb_dom_dn) +dom_entry = api.Backend.ldap2.get_entry(self.smb_dom_dn) except errors.NotFound: self.print_msg("Samba domain object not found") return @@ -218,13 +218,13 @@ def __add_admin_sids(self): return try: -admin_entry = self.admin_conn.get_entry(admin_dn) +admin_entry = api.Backend.ldap2.get_entry(admin_dn) except errors.NotFound: self.print_msg("IPA admin object not found") return try: -admin_group_entry = self.admin_conn.get_entry(admin_group_dn) +admin_group_entry = api.Backend.ldap2.get_entry(admin_group_dn) except errors.NotFound: self.print_msg("IPA admin group object not found") return @@ -233,9 +233,10 @@ def __add_admin_sids(self): self.print_msg("Admin SID already set, nothing to do") else: try: -self.admin_conn.modify_s(admin_d
[Freeipa-devel] [freeipa PR#215][comment] Add script to setup krb5 NFS exports
URL: https://github.com/freeipa/freeipa/pull/215 Title: #215: Add script to setup krb5 NFS exports mbasti-rh commented: """ Hello, can you please provide user cases for this, or some kind of top level design what problem are you solving, why and how do you plan resolve it? We may help you then to create optimal solution. Current code is hard to read and I think you copy&pasted a lot of code from other IPA parts, also IPA code should not install any other packages. For me it looks more like work for some provisioning system like ansible than IPA script, so I would like to see design/user cases first. Thanks """ See the full comment at https://github.com/freeipa/freeipa/pull/215#issuecomment-259449810 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#188][closed] Move Python egg-info to top level directory
URL: https://github.com/freeipa/freeipa/pull/188 Author: tiran Title: #188: Move Python egg-info to top level directory Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/188/head:pr188 git checkout pr188 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#188][comment] Move Python egg-info to top level directory
URL: https://github.com/freeipa/freeipa/pull/188 Title: #188: Move Python egg-info to top level directory tiran commented: """ I'm closing this PR because the issue can't be fixed w/o patching setuptools heavily. I got it mostly right except for SOURCES.txt. We need to revise the project structure at a later point. """ See the full comment at https://github.com/freeipa/freeipa/pull/188#issuecomment-259453244 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#197][synchronized] Make setup.py files PyPI compatible
URL: https://github.com/freeipa/freeipa/pull/197 Author: tiran Title: #197: Make setup.py files PyPI compatible Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/197/head:pr197 git checkout pr197 From dd20cef34b3c6f26b818fcc885b6ae031b27bbda Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 31 Oct 2016 09:19:15 +0100 Subject: [PATCH] Make setup.py files PyPI compatible - Use PEP 440 compatible version schema - Use correct classifiers Signed-off-by: Christian Heimes --- ipasetup.py.in | 38 -- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/ipasetup.py.in b/ipasetup.py.in index 2835527..b30e941 100644 --- a/ipasetup.py.in +++ b/ipasetup.py.in @@ -1,5 +1,4 @@ -#!/usr/bin/python2 -# Copyright (C) 2014 Red Hat +# Copyright (C) 2016 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify @@ -18,9 +17,21 @@ import os import sys +VERSION = "@VERSION@" + +if 'GIT' in VERSION: +# Convert FreeIPA version scheme to PEP 440 version schema. Dev versions +# must be monotonic increasing numbers. Git hashes act as additional +# qualifiers. +# FreeIPA schema: 4.4.90.201610281620GITd0c17b4 +# PEP 440 schema: 4.4.90.dev201610281620+gitd0c17b4 +prefix, suffix = VERSION.rsplit('.', 1) +date, githash = suffix.split('GIT') +VERSION = "{}.dev{}+git{}".format(prefix, date, githash) + common_args = dict( -version="@VERSION@", -license="GPL", +version=VERSION, +license="GPLv3+", author="FreeIPA Developers", author_email="freeipa-devel@redhat.com", maintainer="FreeIPA Developers", @@ -30,14 +41,21 @@ common_args = dict( platforms=["Linux", "Solaris", "Unix"], classifiers=[ "Development Status :: 5 - Production/Stable", -("Topic :: System :: Systems Administration :: " - "Authentication/Directory :: LDAP"), -"Topic :: Internet :: Name Service (DNS)", -"Intended Audience :: System Environment/Base", -"License :: GPL", -"Programming Language :: Python", +"Intended Audience :: System Administrators", +("License :: OSI Approved :: " + "GNU General Public License v3 or later (GPLv3+)"), +"Programming Language :: C", +"Programming Language :: Python :: 2", +"Programming Language :: Python :: 2.7", +"Programming Language :: Python :: 3", +"Programming Language :: Python :: 3.5", +"Programming Language :: Python :: Implementation :: CPython", "Operating System :: POSIX", +"Operating System :: POSIX :: Linux", "Operating System :: Unix", +"Topic :: Internet :: Name Service (DNS)", +("Topic :: System :: Systems Administration :: " + "Authentication/Directory :: LDAP"), ], ) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#187][synchronized] Register entry points of Custodia plugins
URL: https://github.com/freeipa/freeipa/pull/187 Author: tiran Title: #187: Register entry points of Custodia plugins Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/187/head:pr187 git checkout pr187 From 0677a09ff8a1984a23b876806fd9e1727a842c0e Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 26 Oct 2016 11:14:06 +0200 Subject: [PATCH] Register entry points of Custodia plugins With setuptools in place FreeIPA is able to register its Custodia plugins. Custodia 0.1 ignores the plugins directives. Custodia 0.2 uses the entry points to discover plugins. Signed-off-by: Christian Heimes --- ipapython/setup.py | 8 1 file changed, 8 insertions(+) diff --git a/ipapython/setup.py b/ipapython/setup.py index 47acdd6..28937eb 100755 --- a/ipapython/setup.py +++ b/ipapython/setup.py @@ -38,4 +38,12 @@ "ipapython.secrets", "ipapython.install" ], +entry_points={ +'custodia.authorizers': [ +'IPAKEMKeys = ipapython.secrets.kem:IPAKEMKeys', +], +'custodia.stores': [ +'iSecStore = ipapython.secrets.store:iSecStore', +], +}, ) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#180][synchronized] Make api.env.nss_dir relative to api.env.confdir
URL: https://github.com/freeipa/freeipa/pull/180 Author: tiran Title: #180: Make api.env.nss_dir relative to api.env.confdir Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/180/head:pr180 git checkout pr180 From c062f7a34305e22860564f6333487f307911df0e Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 24 Oct 2016 09:39:49 +0200 Subject: [PATCH] Make api.env.nss_dir relative to api.env.confdir api.env.nss_dir is no longer hard-coded to paths.IPA_NSSDB_DIR. Instead the path is calculated relatively to api.env.confdir. The default value is still /etc/ipa/nssdb. The change makes it a bit easier to run FreeIPA's API with a custom configuration directory. See https://fedorahosted.org/freeipa/ticket/6386 Signed-off-by: Christian Heimes --- ipalib/config.py| 3 +++ ipalib/constants.py | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ipalib/config.py b/ipalib/config.py index cf9e925..1075d62 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -474,6 +474,9 @@ def _bootstrap(self, **overrides): if 'conf_default' not in self: self.conf_default = self._join('confdir', 'default.conf') +if 'nss_dir' not in self: +self.nss_dir = self._join('confdir', 'nssdb') + # Set plugins_on_demand: if 'plugins_on_demand' not in self: self.plugins_on_demand = (self.context == 'cli') diff --git a/ipalib/constants.py b/ipalib/constants.py index c423117..7328c28 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -133,8 +133,6 @@ ('rpc_protocol', 'jsonrpc'), -('nss_dir', paths.IPA_NSSDB_DIR), - # Define an inclusive range of SSL/TLS version support ('tls_version_min', 'tls1.0'), ('tls_version_max', 'tls1.2'), @@ -229,6 +227,7 @@ ('conf', object), # File containing context specific config ('conf_default', object), # File containing context independent config ('plugins_on_demand', object), # Whether to finalize plugins on-demand (bool) +('nss_dir', object), # Path to nssdb, default {confdir}/nssdb # Set in Env._finalize_core(): ('in_server', object), # Whether or not running in-server (bool) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#143][synchronized] Issue6386 nss dir
URL: https://github.com/freeipa/freeipa/pull/143 Author: tiran Title: #143: Issue6386 nss dir Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/143/head:pr143 git checkout pr143 From 648dc4f431ffbc8a1a7bf360ce4a708bfbf2f5eb Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 6 Oct 2016 16:24:43 +0200 Subject: [PATCH] Use api.env.nss_dir instead of paths.IPA_NSSDB_DIR ipaclient plugins are now using nss_dir from api.env instead of hard-coded paths.IPA_NSSDB_DIR. Closes: https://fedorahosted.org/freeipa/ticket/6386 Signed-off-by: Christian Heimes --- ipaclient/ipa_certupdate.py | 2 +- ipaclient/plugins/otptoken.py | 3 +-- ipaclient/plugins/vault.py| 7 ++- 3 files changed, 4 insertions(+), 8 deletions(-) diff --git a/ipaclient/ipa_certupdate.py b/ipaclient/ipa_certupdate.py index 3678dec..6bf9831 100644 --- a/ipaclient/ipa_certupdate.py +++ b/ipaclient/ipa_certupdate.py @@ -111,7 +111,7 @@ def run(self): def update_client(self, certs): self.update_file(paths.IPA_CA_CRT, certs) -ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) +ipa_db = certdb.NSSDatabase(api.env.nss_dir) # Remove old IPA certs from /etc/ipa/nssdb for nickname in ('IPA CA', 'External CA cert'): diff --git a/ipaclient/plugins/otptoken.py b/ipaclient/plugins/otptoken.py index dd4a718..885a612 100644 --- a/ipaclient/plugins/otptoken.py +++ b/ipaclient/plugins/otptoken.py @@ -25,7 +25,6 @@ from ipalib.messages import add_message, ResultFormattingError from ipalib.plugable import Registry from ipalib.frontend import Local -from ipaplatform.paths import paths from ipapython.dn import DN from ipapython.nsslib import NSSConnection from ipapython.version import API_VERSION @@ -174,7 +173,7 @@ def forward(self, *args, **kwargs): # Sync the token. # pylint: disable=E1101 -handler = HTTPSHandler(dbdir=paths.IPA_NSSDB_DIR, +handler = HTTPSHandler(dbdir=api.env.nss_dir, tls_version_min=api.env.tls_version_min, tls_version_max=api.env.tls_version_max) rsp = urllib.request.build_opener(handler).open(sync_uri, query) diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py index b8b4f29..c099e9e 100644 --- a/ipaclient/plugins/vault.py +++ b/ipaclient/plugins/vault.py @@ -43,7 +43,6 @@ from ipalib import Bytes, Flag, Str from ipalib.plugable import Registry from ipalib import _ -from ipaplatform.paths import paths def validated_read(argname, filename, mode='r', encoding=None): @@ -752,8 +751,7 @@ def forward(self, *args, **options): error=_('Invalid vault type')) # initialize NSS database -current_dbdir = paths.IPA_NSSDB_DIR -nss.nss_init(current_dbdir) +nss.nss_init(api.env.nss_dir) # retrieve transport certificate config = self.api.Command.vaultconfig_show()['result'] @@ -912,8 +910,7 @@ def forward(self, *args, **options): vault_type = vault['ipavaulttype'][0] # initialize NSS database -current_dbdir = paths.IPA_NSSDB_DIR -nss.nss_init(current_dbdir) +nss.nss_init(api.env.nss_dir) # retrieve transport certificate config = self.api.Command.vaultconfig_show()['result'] -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir
URL: https://github.com/freeipa/freeipa/pull/143 Title: #143: Issue6386 nss dir tiran commented: """ I have fixed all places that don't depend on hard-coded paths. The other places are used for client enrolment and depend on hard-coded paths for sysrestore. Some places use the path before ipalib.api is initialized. """ See the full comment at https://github.com/freeipa/freeipa/pull/143#issuecomment-259456183 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context tiran commented: """ ipapython.admintool.ScriptError still prints the full traceback: ``` $ IPA_CONFDIR=/tmp/ipa ./ipa [2016-11-09T16:35:38Z ipa] : ScriptError: IPA_CONFDIR must be an absolute path to an existing directory. Traceback (most recent call last): File "/home/heimes/redhat/freeipa/ipalib/cli.py", line 1345, in run (_options, argv) = api.bootstrap_with_global_options(context='cli') File "/home/heimes/redhat/freeipa/ipalib/plugable.py", line 580, in bootstrap_with_global_options self.bootstrap(parser, **overrides) File "/home/heimes/redhat/freeipa/ipalib/plugable.py", line 436, in bootstrap self.env._bootstrap(**overrides) File "/home/heimes/redhat/freeipa/ipalib/config.py", line 470, in _bootstrap 'IPA_CONFDIR must be an absolute path to an ' ScriptError: IPA_CONFDIR must be an absolute path to an existing directory. [2016-11-09T16:35:38Z ipa] : an internal error has occurred ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259460953 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#182][synchronized] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/182 Author: tiran Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/182/head:pr182 git checkout pr182 From 3047e5472166e5aee8ec283188da32a46aefdbe9 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 24 Oct 2016 10:35:41 +0200 Subject: [PATCH] Use env var IPA_CONFDIR to get confdir for cli contexts For 'cli' and 'cli_installer' contexts, the environment variable IPA_CONFDIR overrides the default confdir path. The value of the environment variable must be an absolute path to an existing directory. The new variable makes it much simpler to use the 'ipa' command and ipalib with a local configuration directory. Server and server installer contexts do not use the env var. Signed-off-by: Christian Heimes --- client/man/ipa.1 | 4 ipalib/config.py | 11 ++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/client/man/ipa.1 b/client/man/ipa.1 index 9194ca0..b843e7b 100644 --- a/client/man/ipa.1 +++ b/client/man/ipa.1 @@ -186,6 +186,10 @@ The ipa client will determine which server to connect to in this order: .TP If a kerberos error is raised by any of the requests then it will stop processing and display the error message. +.SH "ENVIRONMENT VARIABLES" +.TP +\fBIPA_CONFDIR\fR +Override path to confdir (default: \fB/etc/ipa\fR). .SH "FILES" .TP \fB/etc/ipa/default.conf\fR diff --git a/ipalib/config.py b/ipalib/config.py index cf9e925..77c28a6 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -43,6 +43,7 @@ from ipalib.base import check_name from ipalib.constants import CONFIG_SECTION from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR +from ipapython.admintool import ScriptError if six.PY3: unicode = str @@ -461,7 +462,15 @@ def _bootstrap(self, **overrides): # Set confdir: if 'confdir' not in self: -if self.in_tree: +ipa_confdir = os.environ.get('IPA_CONFDIR') +env_contexts = {'cli', 'cli_installer'} +if ipa_confdir is not None and self.context in env_contexts: +if not path.isabs(ipa_confdir) or not path.isdir(ipa_confdir): +raise ScriptError( +'IPA_CONFDIR must be an absolute path to an ' +'existing directory.') +self.confdir = ipa_confdir +elif self.in_tree: self.confdir = self.dot_ipa else: self.confdir = path.join('/', 'etc', 'ipa') -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#195][synchronized] [WIP] Make ipaclient pip install-able
URL: https://github.com/freeipa/freeipa/pull/195 Author: tiran Title: #195: [WIP] Make ipaclient pip install-able Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/195/head:pr195 git checkout pr195 From ecbc43635405147a42ca39cea9aec554b1688a8d Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 27 Oct 2016 14:04:58 +0200 Subject: [PATCH 1/2] Add install requirements to Python packages Signed-off-by: Christian Heimes --- Makefile.am | 21 - Makefile.python.am| 7 +++ ipaclient/setup.cfg | 4 ipaclient/setup.py| 11 +++ ipalib/setup.cfg | 4 ipalib/setup.py | 8 ipaplatform/setup.cfg | 4 ipaplatform/setup.py | 7 +++ ipapython/setup.cfg | 4 ipapython/setup.py| 17 + ipaserver/setup.cfg | 4 ipaserver/setup.py| 23 +++ ipasetup.py.in| 24 ipatests/setup.cfg| 4 ipatests/setup.py | 23 ++- 15 files changed, 163 insertions(+), 2 deletions(-) diff --git a/Makefile.am b/Makefile.am index ffa5de2..09ce753 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,4 +1,5 @@ -SUBDIRS = asn1 util client contrib daemons init install ipaclient ipalib ipaplatform ipapython ipaserver ipatests po +IPACLIENT_SUBDIRS = ipaclient ipalib ipaplatform ipapython +SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaserver ipatests po MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo @@ -105,3 +106,21 @@ jslint-ui-test: jslint-html: cd $(top_srcdir)/install/html; \ jsl -nologo -nosummary -nofilelisting -conf jsl.conf + +.PHONY: bdist_wheel wheel_bundle +WHEELDISTDIR = $(top_builddir)/dist/wheels +WHEELBUNDLEDIR = $(top_builddir)/dist/bundle + +$(WHEELDISTDIR): + mkdir -p $(WHEELDISTDIR) + +$(WHEELBUNDLEDIR): + mkdir -p $(WHEELBUNDLEDIR) + +bdist_wheel: $(WHEELDISTDIR) + for dir in $(IPACLIENT_SUBDIRS); do \ + $(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \ + done + +wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel + $(PYTHON) -m pip wheel --wheel-dir $(WHEELBUNDLEDIR) $(WHEELDISTDIR)/*.whl diff --git a/Makefile.python.am b/Makefile.python.am index 0ea3fcf..eb6fdc2 100644 --- a/Makefile.python.am +++ b/Makefile.python.am @@ -36,3 +36,10 @@ dist-hook: if test -x "$(srcdir)/$${FILEN}"; then MODE=755; else MODE=644; fi; \ $(INSTALL) -D -m $${MODE} "$(srcdir)/$${FILEN}" "$(distdir)/$${FILEN}" || exit $$?; \ done + + +WHEELDISTDIR = $(top_builddir)/dist/wheels +.PHONY: bdist_wheel +bdist_wheel: + rm -rf $(WHEELDISTDIR)/$(pkgname)*.whl + $(PYTHON) "$(srcdir)/setup.py" bdist_wheel --dist-dir=$(WHEELDISTDIR) diff --git a/ipaclient/setup.cfg b/ipaclient/setup.cfg index 34abb12..666b750 100644 --- a/ipaclient/setup.cfg +++ b/ipaclient/setup.cfg @@ -1,4 +1,8 @@ +[sdist] +dist-dir = ../dist + [bdist_wheel] +dist-dir = ../dist universal = 1 [metadata] diff --git a/ipaclient/setup.py b/ipaclient/setup.py index 32778b0..6d12171 100644 --- a/ipaclient/setup.py +++ b/ipaclient/setup.py @@ -42,4 +42,15 @@ "ipaclient.remote_plugins.2_156", "ipaclient.remote_plugins.2_164", ], +install_requires=[ +"cryptography", +"ipalib", +"ipapython", +"python-nss", +"qrcode", +"six", +], +extra_requires = { +"otptoken_yubikey": ["yubico", "usb"] +} ) diff --git a/ipalib/setup.cfg b/ipalib/setup.cfg index 34abb12..666b750 100644 --- a/ipalib/setup.cfg +++ b/ipalib/setup.cfg @@ -1,4 +1,8 @@ +[sdist] +dist-dir = ../dist + [bdist_wheel] +dist-dir = ../dist universal = 1 [metadata] diff --git a/ipalib/setup.py b/ipalib/setup.py index 982a783..2a7754c 100644 --- a/ipalib/setup.py +++ b/ipalib/setup.py @@ -35,4 +35,12 @@ packages=[ "ipalib", ], +install_requires=[ +"ipaplatform", +"ipapython", +"netaddr", +"pyasn1", +"python-nss", +"six", +], ) diff --git a/ipaplatform/setup.cfg b/ipaplatform/setup.cfg index 34abb12..666b750 100644 --- a/ipaplatform/setup.cfg +++ b/ipaplatform/setup.cfg @@ -1,4 +1,8 @@ +[sdist] +dist-dir = ../dist + [bdist_wheel] +dist-dir = ../dist universal = 1 [metadata] diff --git a/ipaplatform/setup.py b/ipaplatform/setup.py index 82499da..98a9f08 100644 --- a/ipaplatform/setup.py +++ b/ipaplatform/setup.py @@ -39,4 +39,11 @@ "ipaplatform.redhat", "ipaplatform.rhel" ], +install_requires=[ +"cffi", +# "ipalib", # circular dependency +"pyasn1", +"python-nss", +"six", +], ) diff --git a/ipapython/setup.cfg b/ipapython/setup.cfg index 34abb12..666b750 100644 --- a/ipapython/setup.cfg +++ b
[Freeipa-devel] [freeipa PR#195][synchronized] [WIP] Make ipaclient pip install-able
URL: https://github.com/freeipa/freeipa/pull/195 Author: tiran Title: #195: [WIP] Make ipaclient pip install-able Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/195/head:pr195 git checkout pr195 From 86ed56da96246e7bda1cdf79eb7fa88acbaeb054 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 27 Oct 2016 14:04:58 +0200 Subject: [PATCH] Add install requirements to Python packages Signed-off-by: Christian Heimes --- Makefile.am | 21 - Makefile.python.am | 6 ++ ipaclient/setup.py | 11 +++ ipalib/setup.py | 8 ipaplatform/setup.py | 7 +++ ipapython/setup.py | 17 + ipaserver/setup.py | 23 +++ ipasetup.py.in | 24 ipatests/setup.py| 23 ++- 9 files changed, 138 insertions(+), 2 deletions(-) diff --git a/Makefile.am b/Makefile.am index ffa5de2..09ce753 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,4 +1,5 @@ -SUBDIRS = asn1 util client contrib daemons init install ipaclient ipalib ipaplatform ipapython ipaserver ipatests po +IPACLIENT_SUBDIRS = ipaclient ipalib ipaplatform ipapython +SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaserver ipatests po MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo @@ -105,3 +106,21 @@ jslint-ui-test: jslint-html: cd $(top_srcdir)/install/html; \ jsl -nologo -nosummary -nofilelisting -conf jsl.conf + +.PHONY: bdist_wheel wheel_bundle +WHEELDISTDIR = $(top_builddir)/dist/wheels +WHEELBUNDLEDIR = $(top_builddir)/dist/bundle + +$(WHEELDISTDIR): + mkdir -p $(WHEELDISTDIR) + +$(WHEELBUNDLEDIR): + mkdir -p $(WHEELBUNDLEDIR) + +bdist_wheel: $(WHEELDISTDIR) + for dir in $(IPACLIENT_SUBDIRS); do \ + $(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \ + done + +wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel + $(PYTHON) -m pip wheel --wheel-dir $(WHEELBUNDLEDIR) $(WHEELDISTDIR)/*.whl diff --git a/Makefile.python.am b/Makefile.python.am index 0ea3fcf..2ccd383 100644 --- a/Makefile.python.am +++ b/Makefile.python.am @@ -36,3 +36,9 @@ dist-hook: if test -x "$(srcdir)/$${FILEN}"; then MODE=755; else MODE=644; fi; \ $(INSTALL) -D -m $${MODE} "$(srcdir)/$${FILEN}" "$(distdir)/$${FILEN}" || exit $$?; \ done + +WHEELDISTDIR = $(top_builddir)/dist/wheels +.PHONY: bdist_wheel +bdist_wheel: + rm -rf $(WHEELDISTDIR)/$(pkgname)*.whl + $(PYTHON) "$(srcdir)/setup.py" bdist_wheel --dist-dir=$(WHEELDISTDIR) diff --git a/ipaclient/setup.py b/ipaclient/setup.py index 32778b0..6d12171 100644 --- a/ipaclient/setup.py +++ b/ipaclient/setup.py @@ -42,4 +42,15 @@ "ipaclient.remote_plugins.2_156", "ipaclient.remote_plugins.2_164", ], +install_requires=[ +"cryptography", +"ipalib", +"ipapython", +"python-nss", +"qrcode", +"six", +], +extra_requires = { +"otptoken_yubikey": ["yubico", "usb"] +} ) diff --git a/ipalib/setup.py b/ipalib/setup.py index 982a783..2a7754c 100644 --- a/ipalib/setup.py +++ b/ipalib/setup.py @@ -35,4 +35,12 @@ packages=[ "ipalib", ], +install_requires=[ +"ipaplatform", +"ipapython", +"netaddr", +"pyasn1", +"python-nss", +"six", +], ) diff --git a/ipaplatform/setup.py b/ipaplatform/setup.py index 82499da..98a9f08 100644 --- a/ipaplatform/setup.py +++ b/ipaplatform/setup.py @@ -39,4 +39,11 @@ "ipaplatform.redhat", "ipaplatform.rhel" ], +install_requires=[ +"cffi", +# "ipalib", # circular dependency +"pyasn1", +"python-nss", +"six", +], ) diff --git a/ipapython/setup.py b/ipapython/setup.py index 47acdd6..e254253 100755 --- a/ipapython/setup.py +++ b/ipapython/setup.py @@ -38,4 +38,21 @@ "ipapython.secrets", "ipapython.install" ], +install_requires=[ +"cffi", +"custodia", +"cryptography", +"dnspython", +"gssapi", +"jwcrypto", +"ipaplatform", +# "ipalib", # circular dependency +"pyldap", +"lxml", +"netaddr", +"netifaces", +"python-nss", +"requests", +"six", +], ) diff --git a/ipaserver/setup.py b/ipaserver/setup.py index 8ce2970..0cd20da 100755 --- a/ipaserver/setup.py +++ b/ipaserver/setup.py @@ -43,4 +43,27 @@ 'ipaserver.install.plugins', 'ipaserver.install.server', ], +install_requires=[ +"cryptography", +"dnspython", +"dogtag-pki", +"ipaclient", +"ipalib
[Freeipa-devel] [freeipa PR#217][synchronized] change certificate processing code to use python-cryptography
URL: https://github.com/freeipa/freeipa/pull/217 Author: frasertweedale Title: #217: change certificate processing code to use python-cryptography Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/217/head:pr217 git checkout pr217 From fe126fcb59f9fbca4b448f5acf0126f8e74d8a38 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 10 Oct 2016 16:08:52 +1000 Subject: [PATCH 1/7] dn: support conversion from python-cryptography Name The upcoming change to using python-cryptography for certificate process will require a way to convert ``cryptography.x509.name.Name`` values to ``ipapython.dn.DN``. Update the ``DN`` constructor to accept a ``Name``. Part of: https://fedorahosted.org/freeipa/ticket/6398 --- ipapython/dn.py| 44 -- ipatests/test_ipapython/test_dn.py | 23 ++-- 2 files changed, 63 insertions(+), 4 deletions(-) diff --git a/ipapython/dn.py b/ipapython/dn.py index 3ee35c6..2f7655d 100644 --- a/ipapython/dn.py +++ b/ipapython/dn.py @@ -422,6 +422,7 @@ import sys import functools +import cryptography.x509 from ldap.dn import str2dn, dn2str from ldap import DECODING_ERROR import six @@ -976,6 +977,8 @@ class DN(object): to yield one or more RDN's which will be appended in order to the DN. The parsing recognizes the DN syntax escaping rules. +* A single ``cryptography.x509.name.Name`` object. + * A RDN object, the RDN will copied respecting the constructors keyword configuration parameters and appended in order. @@ -1125,9 +1128,17 @@ def _rdns_from_value(self, value): rdns = [[ava]] elif isinstance(value, RDN): rdns = [value.to_openldap()] +elif isinstance(value, cryptography.x509.name.Name): +rdns = list(reversed([ +[get_ava( +_ATTR_NAME_BY_OID.get(ava.oid, ava.oid.dotted_string), +ava.value)] +for ava in value +])) else: -raise TypeError("must be str, unicode, tuple, or RDN or DN, got %s instead" % -type(value)) +raise TypeError( +"must be str, unicode, tuple, Name, RDN or DN, got %s instead" +% type(value)) return rdns def _rdns_from_sequence(self, seq): @@ -1407,3 +1418,32 @@ def rindex(self, pattern, start=None, end=None): if i == -1: raise ValueError("pattern not found") return i + + +_ATTR_NAME_BY_OID = { +cryptography.x509.oid.NameOID.COMMON_NAME: 'CN', +cryptography.x509.oid.NameOID.COUNTRY_NAME: 'C', +cryptography.x509.oid.NameOID.LOCALITY_NAME: 'L', +cryptography.x509.oid.NameOID.STATE_OR_PROVINCE_NAME: 'ST', +cryptography.x509.oid.NameOID.ORGANIZATION_NAME: 'O', +cryptography.x509.oid.NameOID.ORGANIZATIONAL_UNIT_NAME: 'OU', +cryptography.x509.oid.NameOID.SERIAL_NUMBER: 'serialNumber', +cryptography.x509.oid.NameOID.SURNAME: 'SN', +cryptography.x509.oid.NameOID.GIVEN_NAME: 'givenName', +cryptography.x509.oid.NameOID.TITLE: 'title', +cryptography.x509.oid.NameOID.GENERATION_QUALIFIER: 'generationQualifier', +cryptography.x509.oid.NameOID.DN_QUALIFIER: 'dnQualifier', +cryptography.x509.oid.NameOID.PSEUDONYM: 'pseudonym', +cryptography.x509.oid.NameOID.DOMAIN_COMPONENT: 'DC', +cryptography.x509.oid.NameOID.EMAIL_ADDRESS: 'E', +cryptography.x509.oid.NameOID.JURISDICTION_COUNTRY_NAME: +'incorporationCountry', +cryptography.x509.oid.NameOID.JURISDICTION_LOCALITY_NAME: +'incorporationLocality', +cryptography.x509.oid.NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME: +'incorporationState', +cryptography.x509.oid.NameOID.BUSINESS_CATEGORY: 'businessCategory', +cryptography.x509.ObjectIdentifier('2.5.4.9'): 'STREET', +cryptography.x509.ObjectIdentifier('2.5.4.17'): 'postalCode', +cryptography.x509.ObjectIdentifier('0.9.2342.19200300.100.1.1'): 'UID', +} diff --git a/ipatests/test_ipapython/test_dn.py b/ipatests/test_ipapython/test_dn.py index a96bd33..3ca3b57 100644 --- a/ipatests/test_ipapython/test_dn.py +++ b/ipatests/test_ipapython/test_dn.py @@ -2,6 +2,7 @@ import unittest import pytest +from cryptography import x509 import six from ipapython.dn import DN, RDN, AVA @@ -621,7 +622,7 @@ class TestDN(unittest.TestCase): def setUp(self): # ava1 must sort before ava2 self.attr1= 'cn' -self.value1 = 'Bob' +self.value1 = u'Bob' self.str_ava1 = '%s=%s' % (self.attr1, self.value1) self.ava1 = AVA(self.attr1, self.value1) @@ -629,7 +630,7 @@ def setUp(self): self.rdn1 = RDN((self.attr1, self.value1)) self.attr2= 'ou' -self.value2 = 'people' +self.value2 = u'people' self.str_ava2 = '%s=%s'
[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates
URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates frasertweedale commented: """ Although there are conflicts with `master`, there are problems when the patches are rebased. Server installation (CA-ful) fails when requesting the RA certificate. ``` 2016-11-10T04:58:02Z DEBUG [16/30]: requesting RA certificate from CA 2016-11-10T04:58:02Z DEBUG Starting external process 2016-11-10T04:58:02Z DEBUG args=/usr/bin/openssl pkcs7 -inform DER -print_certs -out /var/lib/ipa/tmpyozdnw 2016-11-10T04:58:02Z DEBUG Process finished, return code=0 2016-11-10T04:58:02Z DEBUG stdout= 2016-11-10T04:58:02Z DEBUG stderr= 2016-11-10T04:58:03Z DEBUG certmonger request is in state dbus.String(u'NEWLY_ADDED_READING_CERT', variant_level=1) 2016-11-10T04:58:08Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:13Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:18Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:23Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:28Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:33Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:38Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:43Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:48Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:53Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:58Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:59:03Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 397, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 387, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 830, in __request_ra_certificate post_command='renew_ra_cert') File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 312, in request_and_wait_for_cert state = wait_for_request(reqId, timeout=60) File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 601, in wait_for_request raise RuntimeError("request timed out") RuntimeError: request timed out ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259603552 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates
URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates frasertweedale commented: """ Although there are no conflicts with `master`, there are problems when the patches are rebased. Server installation (CA-ful) fails when requesting the RA certificate. ``` 2016-11-10T04:58:02Z DEBUG [16/30]: requesting RA certificate from CA 2016-11-10T04:58:02Z DEBUG Starting external process 2016-11-10T04:58:02Z DEBUG args=/usr/bin/openssl pkcs7 -inform DER -print_certs -out /var/lib/ipa/tmpyozdnw 2016-11-10T04:58:02Z DEBUG Process finished, return code=0 2016-11-10T04:58:02Z DEBUG stdout= 2016-11-10T04:58:02Z DEBUG stderr= 2016-11-10T04:58:03Z DEBUG certmonger request is in state dbus.String(u'NEWLY_ADDED_READING_CERT', variant_level=1) 2016-11-10T04:58:08Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:13Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:18Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:23Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:28Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:33Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:38Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:43Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:48Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:53Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:58:58Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2016-11-10T04:59:03Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 397, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 387, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 830, in __request_ra_certificate post_command='renew_ra_cert') File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 312, in request_and_wait_for_cert state = wait_for_request(reqId, timeout=60) File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 601, in wait_for_request raise RuntimeError("request timed out") RuntimeError: request timed out ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259603552 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#221][+ack] gitignore: ignore tar ball
URL: https://github.com/freeipa/freeipa/pull/221 Title: #221: gitignore: ignore tar ball Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#187][comment] Register entry points of Custodia plugins
URL: https://github.com/freeipa/freeipa/pull/187 Title: #187: Register entry points of Custodia plugins jcholast commented: """ Just curious, why is the store class called `iSecStore` and not `IPASecStore` or something similar to make it apparent that it comes from IPA? """ See the full comment at https://github.com/freeipa/freeipa/pull/187#issuecomment-259623574 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code