[Freeipa-devel] Karma Requests for jss-4.4.0-1

2017-03-14 Thread Matthew Harmsen 

*The following updated candidate builds of jss 4.4.0 were generated:*

 * *Fedora 25:*
 o *jss-4.4.0-1.fc25
   
   *
 * *Fedora 26:*
 o *jss-4.4.0-1.fc26
   
   *
 * *Fedora 27:*
 o *jss-4.4.0-1.fc27
   *

*These builds address the following Bug:*

 * *Bugzilla Bug #1431937 - Rebase jss to 4.4.0 in Fedora 25+
   *

*Please provide Karma for the following builds:*

 * *Fedora 25:*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-155b9d81d2
   jss-4.4.0-1.fc25
   
   *
 * *Fedora 26:*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-70cf2c25eb
   jss-4.4.0-1.fc26
   
   *

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#579][+ack] csrgen: hide cert-get-requestdata in CLI

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/579
Title: #579: csrgen: hide cert-get-requestdata in CLI

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#574][comment] ipa-replica-prepare fix

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/574
Title: #574: ipa-replica-prepare fix

stlaz commented:
"""
Actually, this is most probably a privilege-separation issue since "kdc.pem" 
which we try to read here does not exist ever since.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/574#issuecomment-286343464
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#574][comment] ipa-replica-prepare fix

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/574
Title: #574: ipa-replica-prepare fix

stlaz commented:
"""
Actually, this is most probably a privilege-separation issue since "kdc.pem" 
which we try to read here does not exist ever since.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/574#issuecomment-286343464
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][synchronized] Provide centralized management of user short name resolution

2017-03-14 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/573
Author: martbab
 Title: #573: Provide centralized management of user short name resolution
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/573/head:pr573
git checkout pr573
From 5e9291aaf7dfd92c5983f0bcd80976b1f597ac58 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 9 Mar 2017 14:24:21 +0100
Subject: [PATCH 1/3] Short name resolution: introduce the required schema

Add ipaDomainResolutionOrder and ipaNameResolutionData to IPAv3 schema.
Extend ipaConfig object with ipaNameResolutionData objectclass during
update.

https://pagure.io/freeipa/issue/6372
---
 install/share/60basev3.ldif | 2 ++
 install/updates/50-ipaconfig.update | 1 +
 2 files changed, 3 insertions(+)

diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 059174b..efc6c8a 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -57,6 +57,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#1
 attributeTypes: (2.16.840.1.113730.3.8.11.70 NAME 'ipaPermTargetTo' DESC 'Destination location to move an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' )
 attributeTypes: (2.16.840.1.113730.3.8.11.71 NAME 'ipaPermTargetFrom' DESC 'Source location from where moving an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' )
 attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME 'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name associated with the domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+attributeTypes: (2.16.840.1.113730.3.8.11.77 NAME 'ipaDomainResolutionOrder' DESC 'List of domains used to resolve a short name' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.5')
 attributeTypes: (2.16.840.1.113730.3.8.18.2.1 NAME 'ipaVaultType' DESC 'IPA vault type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2')
 attributeTypes: (2.16.840.1.113730.3.8.18.2.2 NAME 'ipaVaultSalt' DESC 'IPA vault salt' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' )
 # FIXME: https://bugzilla.redhat.com/show_bug.cgi?id=1267782
@@ -84,5 +85,6 @@ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrap
 objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
 objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
 objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' )
+objectClasses: (2.16.840.1.113730.3.8.12.39 NAME 'ipaNameResolutionData' DESC 'Data used to resolve short names to fully-qualified form' SUP top AUXILIARY MAY ( ipaDomainResolutionOrder ) X-ORIGIN 'IPA v4.5')
 objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ ipaVaultType $ ipaVaultSalt $ ipaVaultPublicKey $ owner $ member ) X-ORIGIN 'IPA v4.2' )
 objectClasses: (2.16.840.1.113730.3.8.18.1.2 NAME 'ipaVaultContainer' DESC 'IPA vault container' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ owner ) X-ORIGIN 'IPA v4.2' )
diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update
index 89a1726..23d2919 100644
--- a/install/updates/50-ipaconfig.update
+++ b/install/updates/50-ipaconfig.update
@@ -4,3 +4,4 @@ add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
 add:ipaUserObjectClasses: ipasshuser
 remove:ipaConfigString:AllowLMhash
 add:objectClass: ipaUserAuthTypeClass
+add:objectClass: ipaNameResolutionData

From e28de0b5b00137f94cd01a58d846311ccd93dd3c Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 9 Mar 2017 18:14:52 +0100
Subject: [PATCH 2/3] ipaconfig: add the ability to manipulate domain
 resolution order

optional attribute was added to config object along with validator that
check for valid domain names and also checks whether the specified
domains exist in FreeIPA or in trusted forests and, in case of trusted
domains, are not disabled.

Part of http://www.freeipa.org/page/V4/AD_User_Short_Names

https://pagure.io/freeipa/issue/6372
---
 ACI.txt |   2 +-
 API.txt |   3 +-
 VERSION.m4  |   4 +-
 ipaserver/plugins/config.py | 114 +++-
 4 files changed, 117 insertions(+), 6 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index a36d460..c6

[Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution

2017-03-14 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution

martbab commented:
"""
@HonzaCholasta I agree, I have removed the commit which introduces special 
param handling and resorted to simple splitting in validator. I have also 
regenerated ACIs in the respective commits.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/573#issuecomment-286348952
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#578][edited] Coverity: fix bad use of null-like value in cert.py

2017-03-14 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/578
Author: tomaskrizek
 Title: #578: Coverity: fix bad use of null-like value in cert.py
Action: edited

 Changed field: body
Original value:
"""
http://cov01.lab.eng.brq.redhat.com/covscanhub/task/38300/log/fixed.html#def2
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#580][opened] Fix KDC certificates export on DL0

2017-03-14 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/580
Author: stlaz
 Title: #580: Fix KDC certificates export on DL0
Action: opened

PR body:
"""
I don't know since when this has been broken but my guess is - for a long time.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/580/head:pr580
git checkout pr580
From cc056293e1488202249d497e827f630a885aadc0 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 14 Mar 2017 09:17:51 +0100
Subject: [PATCH] Fix KDC certificates export on DL0

---
 ipaserver/install/certs.py   | 16 +++-
 ipaserver/install/ipa_replica_prepare.py | 20 ++--
 2 files changed, 17 insertions(+), 19 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 660da79..4bcc009 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -75,11 +75,17 @@ def install_key_from_p12(p12_fname, p12_passwd, pem_fname):
  "-passin", "file:" + pwd.name])
 
 
-def export_pem_p12(pkcs12_fname, pkcs12_pwd_fname, nickname, pem_fname):
-ipautil.run([paths.OPENSSL, "pkcs12",
- "-export", "-name", nickname,
- "-in", pem_fname, "-out", pkcs12_fname,
- "-passout", "file:" + pkcs12_pwd_fname])
+def export_pem_p12(pkcs12_fname, pkcs12_pwd_fname, nickname, pem_fname,
+   key_fname=None):
+args = [
+paths.OPENSSL, "pkcs12",
+"-export", "-name", nickname,
+"-in", pem_fname, "-out", pkcs12_fname,
+"-passout", "file:" + pkcs12_pwd_fname
+]
+if key_fname is not None:
+args.extend(['-inkey', key_fname])
+ipautil.run(args)
 
 
 class CertDB(object):
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index da13e74..044c993 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -447,7 +447,10 @@ def copy_pkinit_certificate(self):
 self.copy_info_file(self.pkinit_pkcs12_file.name, "pkinitcert.p12")
 else:
 self.log.info("Creating SSL certificate for the KDC")
-self.export_certdb("pkinitcert", passwd_fname, is_kdc=True)
+pkcs12_fname = os.path.join(self.dir, "pkinitcert.p12")
+certs.export_pem_p12(
+pkcs12_fname, passwd_fname, "KDC-Cert",
+pem_fname=paths.KDC_CERT, key_fname=paths.KDC_KEY)
 
 def copy_misc_files(self):
 self.log.info("Copying additional files")
@@ -596,11 +599,7 @@ def export_certdb(self, fname, passwd_fname, is_kdc=False):
 hostname = self.replica_fqdn
 subject_base = self.subject_base
 
-if is_kdc:
-nickname = "KDC-Cert"
-else:
-nickname = "Server-Cert"
-
+nickname = "Server-Cert"
 try:
 db = certs.CertDB(
 api.env.realm, nssdir=self.dir, subject_base=subject_base)
@@ -611,11 +610,7 @@ def export_certdb(self, fname, passwd_fname, is_kdc=False):
 pkcs12_fname = os.path.join(self.dir, fname + ".p12")
 
 try:
-if is_kdc:
-certs.export_pem_p12(pkcs12_fname, passwd_fname,
-nickname, os.path.join(self.dir, "kdc.pem"))
-else:
-db.export_pkcs12(pkcs12_fname, passwd_fname, nickname)
+db.export_pkcs12(pkcs12_fname, passwd_fname, nickname)
 except ipautil.CalledProcessError as e:
 self.log.info("error exporting Server certificate: %s", e)
 installutils.remove_file(pkcs12_fname)
@@ -626,9 +621,6 @@ def export_certdb(self, fname, passwd_fname, is_kdc=False):
 self.remove_info_file("secmod.db")
 self.remove_info_file("noise.txt")
 
-if is_kdc:
-self.remove_info_file("kdc.pem")
-
 orig_filename = passwd_fname + ".orig"
 if ipautil.file_exists(orig_filename):
 installutils.remove_file(orig_filename)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#574][comment] ipa-replica-prepare fix

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/574
Title: #574: ipa-replica-prepare fix

stlaz commented:
"""
@MartinBasti should be fixed in https://github.com/freeipa/freeipa/pull/580
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/574#issuecomment-286352636
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#559][synchronized] WebUI: Certificate login

2017-03-14 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/559
Author: pvomacka
 Title: #559: WebUI: Certificate login
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/559/head:pr559
git checkout pr559
From 41aafdf67613ce3cd98471d00d523c6c792c849d Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 9 Mar 2017 12:14:21 +0100
Subject: [PATCH 1/2] Support certificate login after installation and upgrade

Add necessary steps which set SSSD and set SELinux boolean during
installation or upgrade. Also create new endpoint in apache for
login using certificates.

https://pagure.io/freeipa/issue/6225
---
 freeipa.spec.in  |  1 +
 install/conf/ipa.conf| 30 +-
 install/share/gssproxy.conf.template |  1 +
 ipaclient/install/client.py  | 20 
 ipaserver/install/httpinstance.py|  1 +
 ipaserver/install/server/upgrade.py  |  5 +
 6 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6eb00ee..bc3f3fb 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -255,6 +255,7 @@ Requires: mod_wsgi
 Requires: mod_auth_gssapi >= 1.5.0
 Requires: mod_nss >= 1.0.8-26
 Requires: mod_session
+Requires: mod_lookup_identity
 Requires: python-ldap >= 2.4.15
 Requires: python-gssapi >= 1.2.0
 Requires: acl
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 419d4e3..b4f2fb9 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -4,8 +4,13 @@
 # This file may be overwritten on upgrades.
 #
 
-ProxyRequests Off
+# Load lookup_identity module in case it has not been loaded yet
+# The module is used to search users according the certificate.
+
+LoadModule lookup_identity_module modules/mod_lookup_identity.so
+
 
+ProxyRequests Off
 
 #We use xhtml, a file format that the browser validates
 DirectoryIndex index.html
@@ -70,6 +75,7 @@ WSGIScriptReloading Off
   SessionMaxAge 1800
   GssapiSessionKey file:/etc/httpd/alias/ipasession.key
 
+  GssapiImpersonate On
   GssapiDelegCcacheDir /var/run/ipa/ccaches
   GssapiDelegCcachePerms mode:0660 gid:ipaapi
   GssapiUseS4U2Proxy on
@@ -97,6 +103,28 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
   Allow from all
 
 
+# Login with user certificate/smartcard configuration
+# This configuration needs to be loaded after 
+
+  AuthType none
+  GssapiDelegCcacheDir /var/run/ipa/ccaches
+  GssapiDelegCcachePerms mode:0660 gid:ipaapi
+  NSSVerifyClient require
+  NSSUserName SSL_CLIENT_CERT
+  LookupUserByCertificate On
+  WSGIProcessGroup ipa
+  WSGIApplicationGroup ipa
+
+  GssapiUseSessions On
+  Session On
+  SessionCookieName ipa_session path=/ipa;httponly;secure;
+  SessionHeader IPASESSION
+  SessionMaxAge 1800
+  GssapiSessionKey file:/etc/httpd/alias/ipasession.key
+
+  Header unset Set-Cookie
+
+
 
   Satisfy Any
   Order Deny,Allow
diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index fbb158a..d703144 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -4,6 +4,7 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_protocol_transition = true
+  allow_constrained_delegation = true
   cred_usage = both
   euid = $HTTPD_USER
 
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 774eaaf..579d1aa 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -846,6 +846,9 @@ def configure_sssd_conf(
 sssdconfig.new_config()
 domain = sssdconfig.new_domain(cli_domain)
 
+if options.on_master:
+sssd_enable_service(sssdconfig, 'ifp')
+
 if (
 (options.conf_ssh and file_exists(paths.SSH_CONFIG)) or
 (options.conf_sshd and file_exists(paths.SSHD_CONFIG))
@@ -948,6 +951,23 @@ def configure_sssd_conf(
 return 0
 
 
+def sssd_enable_service(sssdconfig, service):
+try:
+sssdconfig.new_service(service)
+except SSSDConfig.ServiceAlreadyExists:
+pass
+except SSSDConfig.ServiceNotRecognizedError:
+root_logger.error(
+"Unable to activate the %s service in SSSD config.", service)
+root_logger.info(
+"Please make sure you have SSSD built with %s support "
+"installed.", service)
+root_logger.info(
+"Configure %s support manually in /etc/sssd/sssd.conf.", service)
+
+sssdconfig.activate_service(service)
+
+
 def change_ssh_config(filename, changes, sections):
 if not changes:
 return True
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 3e8fb0c..048f317 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -53,6 +53,7 @@
 httpd_can_network_connect='on',
 httpd_manage_ipa='on',
 httpd_run_ipa='on',
+httpd_dbus_sssd='on',
 )
 
 HTTPD_USER = con

[Freeipa-devel] [freeipa PR#559][synchronized] WebUI: Certificate login

2017-03-14 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/559
Author: pvomacka
 Title: #559: WebUI: Certificate login
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/559/head:pr559
git checkout pr559
From 94f431f7f1a8b235edea6eba51a87b1fcd5c6625 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 9 Mar 2017 12:14:21 +0100
Subject: [PATCH 1/2] Support certificate login after installation and upgrade

Add necessary steps which set SSSD and set SELinux boolean during
installation or upgrade. Also create new endpoint in apache for
login using certificates.

https://pagure.io/freeipa/issue/6225
---
 freeipa.spec.in  |  1 +
 install/conf/ipa.conf| 31 ++-
 install/share/gssproxy.conf.template |  1 +
 ipaclient/install/client.py  | 20 
 ipaserver/install/httpinstance.py|  1 +
 ipaserver/install/server/upgrade.py  |  5 +
 6 files changed, 58 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6eb00ee..bc3f3fb 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -255,6 +255,7 @@ Requires: mod_wsgi
 Requires: mod_auth_gssapi >= 1.5.0
 Requires: mod_nss >= 1.0.8-26
 Requires: mod_session
+Requires: mod_lookup_identity
 Requires: python-ldap >= 2.4.15
 Requires: python-gssapi >= 1.2.0
 Requires: acl
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 419d4e3..7ac67f5 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -4,8 +4,13 @@
 # This file may be overwritten on upgrades.
 #
 
-ProxyRequests Off
+# Load lookup_identity module in case it has not been loaded yet
+# The module is used to search users according the certificate.
+
+LoadModule lookup_identity_module modules/mod_lookup_identity.so
+
 
+ProxyRequests Off
 
 #We use xhtml, a file format that the browser validates
 DirectoryIndex index.html
@@ -70,6 +75,7 @@ WSGIScriptReloading Off
   SessionMaxAge 1800
   GssapiSessionKey file:/etc/httpd/alias/ipasession.key
 
+  GssapiImpersonate On
   GssapiDelegCcacheDir /var/run/ipa/ccaches
   GssapiDelegCcachePerms mode:0660 gid:ipaapi
   GssapiUseS4U2Proxy on
@@ -97,6 +103,29 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
   Allow from all
 
 
+# Login with user certificate/smartcard configuration
+# This configuration needs to be loaded after 
+
+  AuthType none
+  GssapiDelegCcacheDir /var/run/ipa/ccaches
+  GssapiDelegCcachePerms mode:0660 gid:ipaapi
+  NSSVerifyClient require
+  NSSUserName SSL_CLIENT_CERT
+  LookupUserByCertificate On
+  WSGIProcessGroup ipa
+  WSGIApplicationGroup ipa
+  GssapiImpersonate On
+
+  GssapiUseSessions On
+  Session On
+  SessionCookieName ipa_session path=/ipa;httponly;secure;
+  SessionHeader IPASESSION
+  SessionMaxAge 1800
+  GssapiSessionKey file:/etc/httpd/alias/ipasession.key
+
+  Header unset Set-Cookie
+
+
 
   Satisfy Any
   Order Deny,Allow
diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index fbb158a..d703144 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -4,6 +4,7 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_protocol_transition = true
+  allow_constrained_delegation = true
   cred_usage = both
   euid = $HTTPD_USER
 
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 774eaaf..579d1aa 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -846,6 +846,9 @@ def configure_sssd_conf(
 sssdconfig.new_config()
 domain = sssdconfig.new_domain(cli_domain)
 
+if options.on_master:
+sssd_enable_service(sssdconfig, 'ifp')
+
 if (
 (options.conf_ssh and file_exists(paths.SSH_CONFIG)) or
 (options.conf_sshd and file_exists(paths.SSHD_CONFIG))
@@ -948,6 +951,23 @@ def configure_sssd_conf(
 return 0
 
 
+def sssd_enable_service(sssdconfig, service):
+try:
+sssdconfig.new_service(service)
+except SSSDConfig.ServiceAlreadyExists:
+pass
+except SSSDConfig.ServiceNotRecognizedError:
+root_logger.error(
+"Unable to activate the %s service in SSSD config.", service)
+root_logger.info(
+"Please make sure you have SSSD built with %s support "
+"installed.", service)
+root_logger.info(
+"Configure %s support manually in /etc/sssd/sssd.conf.", service)
+
+sssdconfig.activate_service(service)
+
+
 def change_ssh_config(filename, changes, sections):
 if not changes:
 return True
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 3e8fb0c..048f317 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -53,6 +53,7 @@
 httpd_can_network_connect='on',
 httpd_manage_ipa='on',
 httpd_run_ipa='on',
+httpd_dbus_sssd='on

[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed

2017-03-14 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/567
Title: #567: Configure KDC to use certs after they are deployed

martbab commented:
"""
@simo5 actually I found multiple issues during review and concluded that 
setting up PKINIT on DL1 replica never worked correctly actually. Will open 
respective blocker tickets ASAP.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/567#issuecomment-286355471
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#578][closed] Coverity: fix bad use of null-like value in cert.py

2017-03-14 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/578
Author: tomaskrizek
 Title: #578: Coverity: fix bad use of null-like value in cert.py
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/578/head:pr578
git checkout pr578
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#578][comment] Coverity: fix bad use of null-like value in cert.py

2017-03-14 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/578
Title: #578: Coverity: fix bad use of null-like value in cert.py

tomaskrizek commented:
"""
Sorry about the link, I've removed it.

Nevertheless, it seems that's indeed a false positive, because `principal_type` 
is set to `USER`, but `principal_type == KRBTGT` on 
[L616](https://github.com/freeipa/freeipa/pull/578/files#diff-95cc6f5739d8923e9d470c2f686038f1R616)
 is evaluated as true instead of `principal_type == USER` at 
[L624](https://github.com/freeipa/freeipa/pull/578/files#diff-95cc6f5739d8923e9d470c2f686038f1R624)
 which would set `principal_obj`. There is no other assignment to 
`principal_type` in between.

Closing the PR, coverity error is a false positive.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/578#issuecomment-286355703
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#578][+rejected] Coverity: fix bad use of null-like value in cert.py

2017-03-14 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/578
Title: #578: Coverity: fix bad use of null-like value in cert.py

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#580][synchronized] Fix KDC certificates export on DL0

2017-03-14 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/580
Author: stlaz
 Title: #580: Fix KDC certificates export on DL0
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/580/head:pr580
git checkout pr580
From 280af15a914aa7ec4faf83eb6016e917442d6500 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 14 Mar 2017 09:17:51 +0100
Subject: [PATCH] Fix KDC certificates export on DL0

https://pagure.io/freeipa/issue/6759
---
 ipaserver/install/certs.py   | 16 +++-
 ipaserver/install/ipa_replica_prepare.py | 20 ++--
 2 files changed, 17 insertions(+), 19 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 660da79..4bcc009 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -75,11 +75,17 @@ def install_key_from_p12(p12_fname, p12_passwd, pem_fname):
  "-passin", "file:" + pwd.name])
 
 
-def export_pem_p12(pkcs12_fname, pkcs12_pwd_fname, nickname, pem_fname):
-ipautil.run([paths.OPENSSL, "pkcs12",
- "-export", "-name", nickname,
- "-in", pem_fname, "-out", pkcs12_fname,
- "-passout", "file:" + pkcs12_pwd_fname])
+def export_pem_p12(pkcs12_fname, pkcs12_pwd_fname, nickname, pem_fname,
+   key_fname=None):
+args = [
+paths.OPENSSL, "pkcs12",
+"-export", "-name", nickname,
+"-in", pem_fname, "-out", pkcs12_fname,
+"-passout", "file:" + pkcs12_pwd_fname
+]
+if key_fname is not None:
+args.extend(['-inkey', key_fname])
+ipautil.run(args)
 
 
 class CertDB(object):
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index da13e74..044c993 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -447,7 +447,10 @@ def copy_pkinit_certificate(self):
 self.copy_info_file(self.pkinit_pkcs12_file.name, "pkinitcert.p12")
 else:
 self.log.info("Creating SSL certificate for the KDC")
-self.export_certdb("pkinitcert", passwd_fname, is_kdc=True)
+pkcs12_fname = os.path.join(self.dir, "pkinitcert.p12")
+certs.export_pem_p12(
+pkcs12_fname, passwd_fname, "KDC-Cert",
+pem_fname=paths.KDC_CERT, key_fname=paths.KDC_KEY)
 
 def copy_misc_files(self):
 self.log.info("Copying additional files")
@@ -596,11 +599,7 @@ def export_certdb(self, fname, passwd_fname, is_kdc=False):
 hostname = self.replica_fqdn
 subject_base = self.subject_base
 
-if is_kdc:
-nickname = "KDC-Cert"
-else:
-nickname = "Server-Cert"
-
+nickname = "Server-Cert"
 try:
 db = certs.CertDB(
 api.env.realm, nssdir=self.dir, subject_base=subject_base)
@@ -611,11 +610,7 @@ def export_certdb(self, fname, passwd_fname, is_kdc=False):
 pkcs12_fname = os.path.join(self.dir, fname + ".p12")
 
 try:
-if is_kdc:
-certs.export_pem_p12(pkcs12_fname, passwd_fname,
-nickname, os.path.join(self.dir, "kdc.pem"))
-else:
-db.export_pkcs12(pkcs12_fname, passwd_fname, nickname)
+db.export_pkcs12(pkcs12_fname, passwd_fname, nickname)
 except ipautil.CalledProcessError as e:
 self.log.info("error exporting Server certificate: %s", e)
 installutils.remove_file(pkcs12_fname)
@@ -626,9 +621,6 @@ def export_certdb(self, fname, passwd_fname, is_kdc=False):
 self.remove_info_file("secmod.db")
 self.remove_info_file("noise.txt")
 
-if is_kdc:
-self.remove_info_file("kdc.pem")
-
 orig_filename = passwd_fname + ".orig"
 if ipautil.file_exists(orig_filename):
 installutils.remove_file(orig_filename)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#574][+ack] ipa-replica-prepare fix

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/574
Title: #574: ipa-replica-prepare fix

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#578][comment] Coverity: fix bad use of null-like value in cert.py

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/578
Title: #578: Coverity: fix bad use of null-like value in cert.py

MartinBasti commented:
"""
But this is about `principal_obj`, I don't see it in step 2, but I see 
`principal_obj = None` in step 11
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/578#issuecomment-286359771
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#578][comment] Coverity: fix bad use of null-like value in cert.py

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/578
Title: #578: Coverity: fix bad use of null-like value in cert.py

MartinBasti commented:
"""
Ah I see it is really false positive
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/578#issuecomment-286360715
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#559][synchronized] WebUI: Certificate login

2017-03-14 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/559
Author: pvomacka
 Title: #559: WebUI: Certificate login
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/559/head:pr559
git checkout pr559
From 4becb4747ecc098c495f8174c2396f848133cd65 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 9 Mar 2017 12:14:21 +0100
Subject: [PATCH 1/2] Support certificate login after installation and upgrade

Add necessary steps which set SSSD and set SELinux boolean during
installation or upgrade. Also create new endpoint in apache for
login using certificates.

https://pagure.io/freeipa/issue/6225
---
 freeipa.spec.in  |  1 +
 install/conf/ipa.conf| 33 +++--
 install/share/gssproxy.conf.template |  1 +
 ipaclient/install/client.py  | 20 
 ipaserver/install/httpinstance.py|  1 +
 ipaserver/install/server/upgrade.py  |  5 +
 6 files changed, 59 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6eb00ee..bc3f3fb 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -255,6 +255,7 @@ Requires: mod_wsgi
 Requires: mod_auth_gssapi >= 1.5.0
 Requires: mod_nss >= 1.0.8-26
 Requires: mod_session
+Requires: mod_lookup_identity
 Requires: python-ldap >= 2.4.15
 Requires: python-gssapi >= 1.2.0
 Requires: acl
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 419d4e3..164231c 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,11 +1,16 @@
 #
-# VERSION 23 - DO NOT REMOVE THIS LINE
+# VERSION 24 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
 
-ProxyRequests Off
+# Load lookup_identity module in case it has not been loaded yet
+# The module is used to search users according the certificate.
+
+LoadModule lookup_identity_module modules/mod_lookup_identity.so
+
 
+ProxyRequests Off
 
 #We use xhtml, a file format that the browser validates
 DirectoryIndex index.html
@@ -70,6 +75,7 @@ WSGIScriptReloading Off
   SessionMaxAge 1800
   GssapiSessionKey file:/etc/httpd/alias/ipasession.key
 
+  GssapiImpersonate On
   GssapiDelegCcacheDir /var/run/ipa/ccaches
   GssapiDelegCcachePerms mode:0660 gid:ipaapi
   GssapiUseS4U2Proxy on
@@ -97,6 +103,29 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
   Allow from all
 
 
+# Login with user certificate/smartcard configuration
+# This configuration needs to be loaded after 
+
+  AuthType none
+  GssapiDelegCcacheDir /var/run/ipa/ccaches
+  GssapiDelegCcachePerms mode:0660 gid:ipaapi
+  NSSVerifyClient require
+  NSSUserName SSL_CLIENT_CERT
+  LookupUserByCertificate On
+  WSGIProcessGroup ipa
+  WSGIApplicationGroup ipa
+  GssapiImpersonate On
+
+  GssapiUseSessions On
+  Session On
+  SessionCookieName ipa_session path=/ipa;httponly;secure;
+  SessionHeader IPASESSION
+  SessionMaxAge 1800
+  GssapiSessionKey file:/etc/httpd/alias/ipasession.key
+
+  Header unset Set-Cookie
+
+
 
   Satisfy Any
   Order Deny,Allow
diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index fbb158a..d703144 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -4,6 +4,7 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_protocol_transition = true
+  allow_constrained_delegation = true
   cred_usage = both
   euid = $HTTPD_USER
 
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 774eaaf..579d1aa 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -846,6 +846,9 @@ def configure_sssd_conf(
 sssdconfig.new_config()
 domain = sssdconfig.new_domain(cli_domain)
 
+if options.on_master:
+sssd_enable_service(sssdconfig, 'ifp')
+
 if (
 (options.conf_ssh and file_exists(paths.SSH_CONFIG)) or
 (options.conf_sshd and file_exists(paths.SSHD_CONFIG))
@@ -948,6 +951,23 @@ def configure_sssd_conf(
 return 0
 
 
+def sssd_enable_service(sssdconfig, service):
+try:
+sssdconfig.new_service(service)
+except SSSDConfig.ServiceAlreadyExists:
+pass
+except SSSDConfig.ServiceNotRecognizedError:
+root_logger.error(
+"Unable to activate the %s service in SSSD config.", service)
+root_logger.info(
+"Please make sure you have SSSD built with %s support "
+"installed.", service)
+root_logger.info(
+"Configure %s support manually in /etc/sssd/sssd.conf.", service)
+
+sssdconfig.activate_service(service)
+
+
 def change_ssh_config(filename, changes, sections):
 if not changes:
 return True
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 3e8fb0c..048f317 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -53,6 +53,7 @@
 httpd_can_network_c

[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed

2017-03-14 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/567
Title: #567: Configure KDC to use certs after they are deployed

simo5 commented:
"""
Can you figure out exactly why certmonger is doing this ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/567#issuecomment-286366985
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#139][+ack] WebUI: Vault Management

2017-03-14 Thread pvoborni 
  URL: https://github.com/freeipa/freeipa/pull/139
Title: #139: WebUI: Vault Management

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#577][comment] WebUI: Add support for AD users short name resolution

2017-03-14 Thread pvoborni 
  URL: https://github.com/freeipa/freeipa/pull/577
Title: #577: WebUI: Add support for AD users short name resolution

pvoborni commented:
"""
LGTM
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/577#issuecomment-286369347
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#139][+pushed] WebUI: Vault Management

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/139
Title: #139: WebUI: Vault Management

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/139
Title: #139: WebUI: Vault Management

MartinBasti commented:
"""
master:

* c3115fa617fb049ba48d356d280fdb23c312ebca Additional option to add and del 
operations can be set
* ec63456b7c1fba6bd8d9073e63c27ef685f08c60 Allow to set another other_entity 
name
* 93a7f4c88db159664664bd82d1d00e5e0033ac22 Possibility to skip checking 
writable according to metadata
* 6d1374f7f82d144b8aa361e9e637c5388f8f7edb Added optional option in refreshing 
after modifying association table
* bbca1d9219bfab9f204cb0217495cbd94b7098be Add property which allows refresh 
command to use url value
* 042e113db9bc66dcd0da0d5e8b8d025212695705 Add possibility to pass url 
parameter to update command of details page
* 2e6e0698865e7d530c6ebf87a12e46f990ac1d87 Extend _show command after _find 
command in table facets
* 039a6f7b4ff392974408cb9e274f8a3777e009fd Possibility to set list of table 
attributes which will be added to _del command
* 8dfe692251d38934a21ad3bc648d839d83e27caa Add possibility to hide only one tab 
in sidebar
* de4d4a51b542b8e473919dbc14f7a0810944b544 WebUI: search facet's default 
actions might be overriden
* 587b7324fb1f6899deb151c30662362c18c5258e WebUI: allow to show rows with same 
pkey in tables
* 39d7ef3de4b0345274b4b8e8f6918e3b714879ad WebUI: add vault management
* ab8c69f4c602c0eaefbb058c108428ca30a80e98 TESTS: Add support for KRA in 
ui_driver
* 0808504ba1ab743acdf4231876d49c26dbae6621 TESTS: Add support for sidebar with 
facets
* f95275748465ffacecfbf55ca2cd2fc54f3860b7 TESTS WebUI: Vaults management
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/139#issuecomment-286369632
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#139][closed] WebUI: Vault Management

2017-03-14 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/139
Author: pvomacka
 Title: #139: WebUI: Vault Management
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/139/head:pr139
git checkout pr139
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#577][synchronized] WebUI: Add support for AD users short name resolution

2017-03-14 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/577
Author: pvomacka
 Title: #577: WebUI: Add support for AD users short name resolution
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/577/head:pr577
git checkout pr577
From 128f628f2f322866f7c51c50926675871679 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Mon, 13 Mar 2017 17:30:57 +0100
Subject: [PATCH] WebUI: Add support for AD users short name resolution

https://pagure.io/freeipa/issue/6372
---
 install/ui/src/freeipa/idviews.js  | 4 
 install/ui/src/freeipa/serverconfig.js | 4 
 2 files changed, 8 insertions(+)

diff --git a/install/ui/src/freeipa/idviews.js b/install/ui/src/freeipa/idviews.js
index 25c043c..f383ab3 100644
--- a/install/ui/src/freeipa/idviews.js
+++ b/install/ui/src/freeipa/idviews.js
@@ -100,6 +100,10 @@ return {
 fields: [
 'cn',
 {
+name: 'ipadomainresolutionorder',
+tooltip: '@mc-opt:idview_mod:ipadomainresolutionorder:doc'
+},
+{
 $type: 'textarea',
 name: 'description'
 }
diff --git a/install/ui/src/freeipa/serverconfig.js b/install/ui/src/freeipa/serverconfig.js
index 2bc4e88..25f484a 100644
--- a/install/ui/src/freeipa/serverconfig.js
+++ b/install/ui/src/freeipa/serverconfig.js
@@ -56,6 +56,10 @@ return {
 'ipausersearchfields',
 'ipadefaultemaildomain',
 {
+name: 'ipadomainresolutionorder',
+tooltip: '@mc-opt:config_mod:ipadomainresolutionorder:doc'
+},
+{
 $type: 'entity_select',
 name: 'ipadefaultprimarygroup',
 other_entity: 'group',
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#577][comment] WebUI: Add support for AD users short name resolution

2017-03-14 Thread pvoborni 
  URL: https://github.com/freeipa/freeipa/pull/577
Title: #577: WebUI: Add support for AD users short name resolution

pvoborni commented:
"""
ACK if backend won't change
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/577#issuecomment-286373214
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#575][synchronized] IPA certauth plugin

2017-03-14 Thread sumit-bose 
   URL: https://github.com/freeipa/freeipa/pull/575
Author: sumit-bose
 Title: #575: IPA certauth plugin
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/575/head:pr575
git checkout pr575
From 27bcf2baab5129ce3f49e1ff74d9489753211c93 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 15 Feb 2017 12:09:20 +0100
Subject: [PATCH 1/2] ipa-kdb: add ipadb_fetch_principals_with_extra_filter()

Additionally make ipadb_find_principal public.

Related to https://pagure.io/freeipa/issue/4905
---
 daemons/ipa-kdb/ipa_kdb.h| 11 +++
 daemons/ipa-kdb/ipa_kdb_principals.c | 58 
 2 files changed, 56 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 8a3f7d3..72f2675 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -198,6 +198,17 @@ krb5_error_code ipadb_put_principal(krb5_context kcontext,
 char **db_args);
 krb5_error_code ipadb_delete_principal(krb5_context kcontext,
krb5_const_principal search_for);
+krb5_error_code
+ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
+ unsigned int flags,
+ const char *principal,
+ const char *filter,
+ LDAPMessage **result);
+krb5_error_code ipadb_find_principal(krb5_context kcontext,
+ unsigned int flags,
+ LDAPMessage *res,
+ char **principal,
+ LDAPMessage **entry);
 #if KRB5_KDB_API_VERSION < 8
 krb5_error_code ipadb_iterate(krb5_context kcontext,
   char *match_entry,
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 3bd8fb8..82c8574 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -37,6 +37,17 @@
 "(objectclass=krbprincipal))" \
   "(krbprincipalname=%s))"
 
+#define PRINC_TGS_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \
+  "(objectclass=krbprincipal)" \
+  "(objectclass=ipakrbprincipal))" \
+"(|(ipakrbprincipalalias=%s)" \
+  "(krbprincipalname:caseIgnoreIA5Match:=%s))" \
+ "%s)"
+
+#define PRINC_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \
+  "(objectclass=krbprincipal))" \
+"(krbprincipalname=%s)" \
+"%s)"
 static char *std_principal_attrs[] = {
 "krbPrincipalName",
 "krbCanonicalName",
@@ -864,10 +875,12 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
 return kerr;
 }
 
-static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
-  unsigned int flags,
-  char *principal,
-  LDAPMessage **result)
+krb5_error_code
+ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
+ unsigned int flags,
+ const char *principal,
+ const char *filter,
+ LDAPMessage **result)
 {
 krb5_error_code kerr;
 char *src_filter = NULL;
@@ -890,11 +903,21 @@ static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
 goto done;
 }
 
-if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
-ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
-   esc_original_princ, esc_original_princ);
+if (filter == NULL) {
+if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
+ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
+   esc_original_princ, esc_original_princ);
+} else {
+ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
+}
 } else {
-ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
+if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
+ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
+   esc_original_princ, esc_original_princ, filter);
+} else {
+ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
+   esc_original_princ, filter);
+}
 }
 
 if (ret == -1) {
@@ -913,11 +936,20 @

[Freeipa-devel] [freeipa PR#575][comment] IPA certauth plugin

2017-03-14 Thread sumit-bose 
  URL: https://github.com/freeipa/freeipa/pull/575
Title: #575: IPA certauth plugin

sumit-bose commented:
"""
I updated the code to reflect the latest changes in the interface from 
https://github.com/krb5/krb5/pull/610.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/575#issuecomment-286373480
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution

2017-03-14 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution

martbab commented:
"""
Server upgrade consists only from adding the objectclass to ipaConfig which is 
taken care of in the update file. The idview object schema is modified 
on-demand when the attribute is set. Is there something else I need to take 
care of?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/573#issuecomment-286385187
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed

2017-03-14 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/567
Title: #567: Configure KDC to use certs after they are deployed

martbab commented:
"""
@simo5 yes the whole PKINIT setup logic on replica is flawed and will probably 
need to be moved into a later point in master/replica install. Can I re-use 
your PR and prepare a new one that will fix it properly? I will keep you the 
author of this commit if you wish.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/567#issuecomment-286389719
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution

2017-03-14 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution

HonzaCholasta commented:
"""
IMO you should add the object class to all existing idviews on upgrade rather 
than add it on-demand.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/573#issuecomment-286390880
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed

2017-03-14 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/567
Title: #567: Configure KDC to use certs after they are deployed

simo5 commented:
"""
Sure no prob
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/567#issuecomment-286391140
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed

2017-03-14 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/567
Title: #567: Configure KDC to use certs after they are deployed

martbab commented:
"""
@simo5 thank you
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/567#issuecomment-286392161
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution

MartinBasti commented:
"""
@HonzaCholasta it will break in case when idview entry is created on older 
replica, so it is more safe to appending the objectclass dynamically
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/573#issuecomment-286394244
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution

2017-03-14 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution

HonzaCholasta commented:
"""
Ah, right.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/573#issuecomment-286395012
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#568][+ack] cert: include certificate chain in cert command output

2017-03-14 Thread dkupka 
  URL: https://github.com/freeipa/freeipa/pull/568
Title: #568: cert: include certificate chain in cert command output

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#568][comment] cert: include certificate chain in cert command output

2017-03-14 Thread dkupka 
  URL: https://github.com/freeipa/freeipa/pull/568
Title: #568: cert: include certificate chain in cert command output

dkupka commented:
"""
LGTM and works as expected.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/568#issuecomment-28644
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#568][+pushed] cert: include certificate chain in cert command output

2017-03-14 Thread dkupka 
  URL: https://github.com/freeipa/freeipa/pull/568
Title: #568: cert: include certificate chain in cert command output

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#568][closed] cert: include certificate chain in cert command output

2017-03-14 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/568
Author: HonzaCholasta
 Title: #568: cert: include certificate chain in cert command output
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/568/head:pr568
git checkout pr568
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#568][comment] cert: include certificate chain in cert command output

2017-03-14 Thread dkupka 
  URL: https://github.com/freeipa/freeipa/pull/568
Title: #568: cert: include certificate chain in cert command output

dkupka commented:
"""
master:

* c60d9c9744b1f8a7b55bcdda65cce8bb36700bf6 cert: add output file option to 
cert-request
* 8ed891cb619abd2efd428f767edf760ebf5eec5d cert: include certificate chain in 
cert command output
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/568#issuecomment-286400258
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#580][+rejected] Fix KDC certificates export on DL0

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/580
Title: #580: Fix KDC certificates export on DL0

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#580][comment] Fix KDC certificates export on DL0

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/580
Title: #580: Fix KDC certificates export on DL0

stlaz commented:
"""
We should not care about KDC certificates at all on DL0.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/580#issuecomment-286400760
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#580][closed] Fix KDC certificates export on DL0

2017-03-14 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/580
Author: stlaz
 Title: #580: Fix KDC certificates export on DL0
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/580/head:pr580
git checkout pr580
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#577][synchronized] WebUI: Add support for AD users short name resolution

2017-03-14 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/577
Author: pvomacka
 Title: #577: WebUI: Add support for AD users short name resolution
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/577/head:pr577
git checkout pr577
From bbb573aea93351157d485f560160949402447b59 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Mon, 13 Mar 2017 17:30:57 +0100
Subject: [PATCH] WebUI: Add support for management of user short name
 resolution

https://pagure.io/freeipa/issue/6372
---
 install/ui/src/freeipa/idviews.js  | 4 
 install/ui/src/freeipa/serverconfig.js | 4 
 2 files changed, 8 insertions(+)

diff --git a/install/ui/src/freeipa/idviews.js b/install/ui/src/freeipa/idviews.js
index 25c043c..f383ab3 100644
--- a/install/ui/src/freeipa/idviews.js
+++ b/install/ui/src/freeipa/idviews.js
@@ -100,6 +100,10 @@ return {
 fields: [
 'cn',
 {
+name: 'ipadomainresolutionorder',
+tooltip: '@mc-opt:idview_mod:ipadomainresolutionorder:doc'
+},
+{
 $type: 'textarea',
 name: 'description'
 }
diff --git a/install/ui/src/freeipa/serverconfig.js b/install/ui/src/freeipa/serverconfig.js
index 2bc4e88..25f484a 100644
--- a/install/ui/src/freeipa/serverconfig.js
+++ b/install/ui/src/freeipa/serverconfig.js
@@ -56,6 +56,10 @@ return {
 'ipausersearchfields',
 'ipadefaultemaildomain',
 {
+name: 'ipadomainresolutionorder',
+tooltip: '@mc-opt:config_mod:ipadomainresolutionorder:doc'
+},
+{
 $type: 'entity_select',
 name: 'ipadefaultprimarygroup',
 other_entity: 'group',
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#577][comment] WebUI: Add support for AD users short name resolution

2017-03-14 Thread pvomacka 
  URL: https://github.com/freeipa/freeipa/pull/577
Title: #577: WebUI: Add support for AD users short name resolution

pvomacka commented:
"""
@simo5 I changed the subject, do you have any suggestion what you would like to 
see in commit message? I think that this is quite easy and self-explanatory 
patch.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/577#issuecomment-286404011
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#579][+pushed] csrgen: hide cert-get-requestdata in CLI

2017-03-14 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/579
Title: #579: csrgen: hide cert-get-requestdata in CLI

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#579][comment] csrgen: hide cert-get-requestdata in CLI

2017-03-14 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/579
Title: #579: csrgen: hide cert-get-requestdata in CLI

HonzaCholasta commented:
"""
master:

* 72de679eb445c975ec70cd265d37d4927823ce5b csrgen: hide cert-get-requestdata in 
CLI
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/579#issuecomment-286404609
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#579][closed] csrgen: hide cert-get-requestdata in CLI

2017-03-14 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/579
Author: HonzaCholasta
 Title: #579: csrgen: hide cert-get-requestdata in CLI
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/579/head:pr579
git checkout pr579
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#581][opened] Backup KDC certificate pair

2017-03-14 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/581
Author: stlaz
 Title: #581: Backup KDC certificate pair
Action: opened

PR body:
"""
KDC certificate pair was added but is not included in backup which
might cause issues when restoring the IPA service.

https://pagure.io/freeipa/issue/6748

This probably does not fix the issue as a whole but I am not sure
if there's more that we can do on the IPA side.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/581/head:pr581
git checkout pr581
From eda546f2ac3c6d1a3b95a4f81abca5a2bd735c15 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 14 Mar 2017 13:27:39 +0100
Subject: [PATCH] Backup KDC certificate pair

KDC certificate pair was added but is not included in backup which
might cause issues when restoring the IPA service.

https://pagure.io/freeipa/issue/6748
---
 ipaserver/install/ipa_backup.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 8fc2a1c..07c50c8 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -163,6 +163,8 @@ class Backup(admintool.AdminTool):
 paths.CACERT_P12,
 paths.KRACERT_P12,
 paths.KRB5KDC_KDC_CONF,
+paths.KDC_CERT,
+paths.KDC_KEY,
 paths.SYSTEMD_IPA_SERVICE,
 paths.SYSTEMD_SSSD_SERVICE,
 paths.SYSTEMD_CERTMONGER_SERVICE,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Martin Basti 
Hello,

DRAFT for FreeIPA 4.5.0 release notes is ready
http://www.freeipa.org/page/Releases/4.5.0

Please update/let me know what is missing, what is extra.


Martin^2




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#582][opened] Remove pkinit from ipa-replica-prepare

2017-03-14 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/582
Author: stlaz
 Title: #582: Remove pkinit from ipa-replica-prepare
Action: opened

PR body:
"""
The PKINIT feature is not available on domain level 0 so any
options about pkinit are false.

https://pagure.io/freeipa/issue/6759
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/582/head:pr582
git checkout pr582
From f973b8606d8da8e569bf3830a95aa25170e6ff4f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 14 Mar 2017 14:18:33 +0100
Subject: [PATCH] Remove pkinit from ipa-replica-prepare

The PKINIT feature is not available on domain level 0 so any
options about pkinit are false.

https://pagure.io/freeipa/issue/6759
---
 ipaserver/install/ipa_replica_prepare.py | 83 +++-
 1 file changed, 7 insertions(+), 76 deletions(-)

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index da13e74..8412eed 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -88,9 +88,6 @@ def add_options(cls, parser):
 parser.add_option("--allow-zone-overlap", dest="allow_zone_overlap",
 action="store_true", default=False, help="create DNS "
 "zone even if it already exists")
-parser.add_option("--no-pkinit", dest="setup_pkinit",
-action="store_false", default=True,
-help="disables pkinit setup steps")
 parser.add_option("--ca", dest="ca_file", default=paths.CACERT_P12,
 metavar="FILE",
 help="location of CA PKCS#12 file, default /root/cacert.p12")
@@ -112,12 +109,6 @@ def add_options(cls, parser):
 group.add_option("--http_pkcs12", dest="http_cert_files",
 action="append",
 help=SUPPRESS_HELP)
-group.add_option("--pkinit-cert-file", dest="pkinit_cert_files",
-action="append", metavar="FILE",
-help="File containing the Kerberos KDC SSL certificate and private key")
-group.add_option("--pkinit_pkcs12", dest="pkinit_cert_files",
-action="append",
-help=SUPPRESS_HELP)
 group.add_option("--dirsrv-pin", dest="dirsrv_pin", sensitive=True,
 metavar="PIN",
 help="The password to unlock the Directory Server private key")
@@ -128,20 +119,12 @@ def add_options(cls, parser):
 help="The password to unlock the Apache Server private key")
 group.add_option("--http_pin", dest="http_pin", sensitive=True,
 help=SUPPRESS_HELP)
-group.add_option("--pkinit-pin", dest="pkinit_pin", sensitive=True,
-metavar="PIN",
-help="The password to unlock the Kerberos KDC private key")
-group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True,
-help=SUPPRESS_HELP)
 group.add_option("--dirsrv-cert-name", dest="dirsrv_cert_name",
 metavar="NAME",
 help="Name of the Directory Server SSL certificate to install")
 group.add_option("--http-cert-name", dest="http_cert_name",
 metavar="NAME",
 help="Name of the Apache Server SSL certificate to install")
-group.add_option("--pkinit-cert-name", dest="pkinit_cert_name",
-metavar="NAME",
-help="Name of the Kerberos KDC SSL certificate to install")
 parser.add_option_group(group)
 
 def validate_options(self):
@@ -162,18 +145,10 @@ def validate_options(self):
 
 # If any of the PKCS#12 options are selected, all are required.
 cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
-cert_file_opt = (options.pkinit_cert_files,)
-if options.setup_pkinit:
-cert_file_req += cert_file_opt
-if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
+if any(cert_file_req) and not all(cert_file_req):
 self.option_parser.error(
-"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file "
-"or --no-pkinit are required if any key file options are used."
-)
-if not options.setup_pkinit and options.pkinit_cert_files:
-self.option_parser.error(
-"--no-pkinit and --pkinit-cert-file cannot be specified "
-"together"
+"--dirsrv-cert-file and --http-cert-file are required if any "
+"key file options are used."
 )
 
 if len(self.args) < 1:
@@ -291,7 +266,7 @@ def ask_for_options(self):
"--ip-address option." % zone)
 raise admintool.ScriptError("Cannot add DNS record")
 
-self.http_pin = self.dirsrv_pin = self.pkinit_pin = None
+self.http_pin = self.dirsrv_pin = None
 
 if options.http_cert_files:
 if options.http_pin is None:
@@ -321,20 +296,6 @@ def ask_for_

[Freeipa-devel] [freeipa PR#569][+ack] Remove copy-schema-to-ca.py from master branch

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/569
Title: #569: Remove copy-schema-to-ca.py from master branch

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#560][synchronized] rpcserver: x509_login: Handle unsuccessful certificate login gracefully

2017-03-14 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/560
Author: dkupka
 Title: #560: rpcserver: x509_login: Handle unsuccessful certificate login 
gracefully
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/560/head:pr560
git checkout pr560
From e9b675f2858986300fb55db6ec40a70be8ed33f1 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 9 Mar 2017 12:28:26 +0100
Subject: [PATCH] rpcserver: x509_login: Handle unsuccessful certificate login
 gracefully

When mod_lookup_identity is unable to match user by certificate (and username)
it unsets http request's user. mod_auth_gssapi is then unable to get Kerberos
ticket and doesn't set KRB5CCNAME environment variable.
x509_login.__call__ now returns 401 in such case to indicate that request was
not authenticated.

https://pagure.io/freeipa/issue/6225
---
 ipaserver/rpcserver.py | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index fa15742..be4e391 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -834,6 +834,16 @@ class login_kerberos(KerberosLogin):
 class login_x509(KerberosLogin):
 key = '/session/login_x509'
 
+def __call__(self, environ, start_response):
+self.debug('WSGI login_x509.__call__:')
+
+if 'KRB5CCNAME' not in environ:
+return self.unauthorized(
+environ, start_response, 'KRB5CCNAME not set',
+'Authentication failed')
+
+super(login_x509, self).__call__(environ, start_response)
+
 
 class login_password(Backend, KerberosSession):
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Jakub Hrozek 
On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote:
> Hello,
> 
> DRAFT for FreeIPA 4.5.0 release notes is ready
> http://www.freeipa.org/page/Releases/4.5.0
> 
> Please update/let me know what is missing, what is extra.

Please update this paragraph:

AD User Short Names

Support for AD users short names has been added. Short
names can be enabled from CLI by setting ipa config-mod
--domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"
or from WebUI under Configuration tab. No manual configuration on SSSD
side is required.


With a note that this feature is not supported by SSSD yet and the work
is tracked with https://pagure.io/SSSD/sssd/issue/3210

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Luc de Louw 

My 3 cents...

"Please note that FIPS 140-2 support may not work on some platforms"

-> Does is work in Fedora? Should be worth mention it so people are more 
encouraged to test it in Fedora before its getting to RHEL 7.4


Thanks,

Luc



On 03/14/2017 02:50 PM, Jakub Hrozek wrote:

On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote:

Hello,

DRAFT for FreeIPA 4.5.0 release notes is ready
http://www.freeipa.org/page/Releases/4.5.0

Please update/let me know what is missing, what is extra.


Please update this paragraph:

AD User Short Names

Support for AD users short names has been added. Short
names can be enabled from CLI by setting ipa config-mod
--domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"
or from WebUI under Configuration tab. No manual configuration on SSSD
side is required.


With a note that this feature is not supported by SSSD yet and the work
is tracked with https://pagure.io/SSSD/sssd/issue/3210



--
Luc de Louw
Senior Linux Consultant
Red Hat GmbH
Am Treptower Park 75, 2nd floor
D-12435 Berlin

Email: ldel...@redhat.com
Cell Germany: +49 162 413 29 64
Cell Bahrain +973 33 54 79 77
Cell UAE +971 50 95 86 406
Cell Saudi Arabia +966 5540 98 525
Cell Austria: +43 66 47 96 90 47
Cell Switzerland: +41 78 664 58 13
Cell France: +33 609 18 57 09
Cell Netherlands: +31 6 21 48 18 67
Cell Uganda: +256 71 39 14 337

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#574][closed] ipa-replica-prepare fix

2017-03-14 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/574
Author: stlaz
 Title: #574: ipa-replica-prepare fix
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/574/head:pr574
git checkout pr574
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#574][+pushed] ipa-replica-prepare fix

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/574
Title: #574: ipa-replica-prepare fix

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#574][comment] ipa-replica-prepare fix

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/574
Title: #574: ipa-replica-prepare fix

MartinBasti commented:
"""
master:

* 992e6ecd1ff33f4f872e8f174bd426507c55f5c4 Fix ipa-replica-prepare server-cert 
creation
* 8980f4098ebf6b62556e24f090718802d1e495d3 Don't fail more if cert req/cert 
creation failed
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/574#issuecomment-286430379
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Alexander Bokovoy 

On ti, 14 maalis 2017, Luc de Louw wrote:

My 3 cents...

"Please note that FIPS 140-2 support may not work on some platforms"

-> Does is work in Fedora? Should be worth mention it so people are 
more encouraged to test it in Fedora before its getting to RHEL 7.4

I think we should actually add an explicit statement for trust to AD not
currently supporting FIPS 140-2 mode.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Florence Blanc-Renaud 

On 03/14/2017 01:51 PM, Martin Basti wrote:

Hello,

DRAFT for FreeIPA 4.5.0 release notes is ready
http://www.freeipa.org/page/Releases/4.5.0

Please update/let me know what is missing, what is extra.


Martin^2





Hi Martin,

thank you for the release notes. Could you update the section about 
Certificate Identity Mapping?

'''
Certificate Identity Mapping

Support for multiple certificates on Smart cards has been added. User 
can choose which certificate is used to authenticate. This allows to 
define multiple certificates per user.
The same certificate can be used by different accounts, and the mapping 
between a certificate and an account can be done through binary match of 
the whole certificate or a match on custom certificate attributes (such 
as Subject + Issuer).

'''

I also noted a typo:
'''
Bug fixes
Contains all bugfixes and enhacements
'''
should be enhancements.

Thank you,
Flo


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Martin Basti 


On 14.03.2017 15:08, Florence Blanc-Renaud wrote:
> On 03/14/2017 01:51 PM, Martin Basti wrote:
>> Hello,
>>
>> DRAFT for FreeIPA 4.5.0 release notes is ready
>> http://www.freeipa.org/page/Releases/4.5.0
>>
>> Please update/let me know what is missing, what is extra.
>>
>>
>> Martin^2
>>
>>
>>
>>
> Hi Martin,
>
> thank you for the release notes. Could you update the section about
> Certificate Identity Mapping?
> '''
> Certificate Identity Mapping
>
> Support for multiple certificates on Smart cards has been added. User
> can choose which certificate is used to authenticate. This allows to
> define multiple certificates per user.
> The same certificate can be used by different accounts, and the
> mapping between a certificate and an account can be done through
> binary match of the whole certificate or a match on custom certificate
> attributes (such as Subject + Issuer).
> '''
>
> I also noted a typo:
> '''
> Bug fixes
> Contains all bugfixes and enhacements
> '''
> should be enhancements.
>
> Thank you,
> Flo
>
>

Thank you, updated



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login

2017-03-14 Thread dkupka 
  URL: https://github.com/freeipa/freeipa/pull/559
Title: #559: WebUI: Certificate login

dkupka commented:
"""
LGTM and works.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/559#issuecomment-28641
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#559][+ack] WebUI: Certificate login

2017-03-14 Thread dkupka 
  URL: https://github.com/freeipa/freeipa/pull/559
Title: #559: WebUI: Certificate login

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#559][+pushed] WebUI: Certificate login

2017-03-14 Thread dkupka 
  URL: https://github.com/freeipa/freeipa/pull/559
Title: #559: WebUI: Certificate login

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login

2017-03-14 Thread dkupka 
  URL: https://github.com/freeipa/freeipa/pull/559
Title: #559: WebUI: Certificate login

dkupka commented:
"""
master:

* 75c592d3b9081474cae51c929e6af29c7a0eebb6 Support certificate login after 
installation and upgrade
* 585547ee9478ea0173106d88d40d7807baab8bcf WebUI: add link to login page which 
for login using certificate
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/559#issuecomment-286433787
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#559][closed] WebUI: Certificate login

2017-03-14 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/559
Author: pvomacka
 Title: #559: WebUI: Certificate login
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/559/head:pr559
git checkout pr559
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Martin Basti 


On 14.03.2017 14:56, Luc de Louw wrote:
> My 3 cents...
>
> "Please note that FIPS 140-2 support may not work on some platforms"
>
> -> Does is work in Fedora? Should be worth mention it so people are
> more encouraged to test it in Fedora before its getting to RHEL 7.4
>
> Thanks,
>
> Luc

We cannot guarantee that FIPS mode will work with fedora, any package
update may break it.

>
>
>
> On 03/14/2017 02:50 PM, Jakub Hrozek wrote:
>> On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote:
>>> Hello,
>>>
>>> DRAFT for FreeIPA 4.5.0 release notes is ready
>>> http://www.freeipa.org/page/Releases/4.5.0
>>>
>>> Please update/let me know what is missing, what is extra.
>>
>> Please update this paragraph:
>> 
>> AD User Short Names
>>
>> Support for AD users short names has been added. Short
>> names can be enabled from CLI by setting ipa config-mod
>> --domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"
>> or from WebUI under Configuration tab. No manual configuration on SSSD
>> side is required.
>> 
>>
>> With a note that this feature is not supported by SSSD yet and the work
>> is tracked with https://pagure.io/SSSD/sssd/issue/3210
>>
>




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Martin Basti 


On 14.03.2017 15:06, Alexander Bokovoy wrote:
> On ti, 14 maalis 2017, Luc de Louw wrote:
>> My 3 cents...
>>
>> "Please note that FIPS 140-2 support may not work on some platforms"
>>
>> -> Does is work in Fedora? Should be worth mention it so people are
>> more encouraged to test it in Fedora before its getting to RHEL 7.4
> I think we should actually add an explicit statement for trust to AD not
> currently supporting FIPS 140-2 mode.
>
I will add it to known issues



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#569][closed] Remove copy-schema-to-ca.py from master branch

2017-03-14 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/569
Author: MartinBasti
 Title: #569: Remove copy-schema-to-ca.py from master branch
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/569/head:pr569
git checkout pr569
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#569][comment] Remove copy-schema-to-ca.py from master branch

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/569
Title: #569: Remove copy-schema-to-ca.py from master branch

MartinBasti commented:
"""
master:

* f4c7f1dd8a9ce530a8291219a904686ee47e59c7 Remove copy-schema-to-ca.py from 
master branch
* ca5b53adccdd581bc39233378c422ca448e6edd2 Add copy-schema-to-ca for RHEL6 to 
contrib/
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/569#issuecomment-286434510
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#569][+pushed] Remove copy-schema-to-ca.py from master branch

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/569
Title: #569: Remove copy-schema-to-ca.py from master branch

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#583][opened] ipaplatform/debian/services: Fix is_running arguments.

2017-03-14 Thread tjaalton 
   URL: https://github.com/freeipa/freeipa/pull/583
Author: tjaalton
 Title: #583: ipaplatform/debian/services: Fix is_running arguments.
Action: opened

PR body:
"""
Brown paper bag moment, discovered when trying to install 4.4.x.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/583/head:pr583
git checkout pr583
From fb4ea5c5411de2bddbdfa9a1a8304dc641dd1924 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 14 Mar 2017 16:32:22 +0200
Subject: [PATCH] ipaplatform/debian/services: Fix is_running arguments.

---
 ipaplatform/debian/services.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaplatform/debian/services.py b/ipaplatform/debian/services.py
index 85fba56..5eef5ff 100644
--- a/ipaplatform/debian/services.py
+++ b/ipaplatform/debian/services.py
@@ -72,7 +72,7 @@ def restart(self, instance_name='', capture_output=True, wait=True):
 if wait and self.is_running(instance_name):
 self.__wait_for_open_ports(instance_name)
 
-def is_running(self, instance_name=""):
+def is_running(self, instance_name="", wait=True):
 ret = True
 try:
 result = ipautil.run([paths.SBIN_SERVICE,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#583][synchronized] ipaplatform/debian/services: Fix is_running arguments.

2017-03-14 Thread tjaalton 
   URL: https://github.com/freeipa/freeipa/pull/583
Author: tjaalton
 Title: #583: ipaplatform/debian/services: Fix is_running arguments.
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/583/head:pr583
git checkout pr583
From fb4ea5c5411de2bddbdfa9a1a8304dc641dd1924 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 14 Mar 2017 16:32:22 +0200
Subject: [PATCH 1/2] ipaplatform/debian/services: Fix is_running arguments.

---
 ipaplatform/debian/services.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaplatform/debian/services.py b/ipaplatform/debian/services.py
index 85fba56..5eef5ff 100644
--- a/ipaplatform/debian/services.py
+++ b/ipaplatform/debian/services.py
@@ -72,7 +72,7 @@ def restart(self, instance_name='', capture_output=True, wait=True):
 if wait and self.is_running(instance_name):
 self.__wait_for_open_ports(instance_name)
 
-def is_running(self, instance_name=""):
+def is_running(self, instance_name="", wait=True):
 ret = True
 try:
 result = ipautil.run([paths.SBIN_SERVICE,

From ce487555d0b0dcf59b75a0b828306bee2e065447 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 14 Mar 2017 16:43:22 +0200
Subject: [PATCH 2/2] ipaplatform/debian/paths: Add IPA_HTTPD_KDCPROXY.

---
 ipaplatform/debian/paths.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
index ad0e13c..1f1b9a7 100644
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -71,6 +71,7 @@ class DebianPathNamespace(BasePathNamespace):
 GENERATE_RNDC_KEY = "/bin/true"
 IPA_DNSKEYSYNCD_REPLICA = "/usr/lib/ipa/ipa-dnskeysync-replica"
 IPA_DNSKEYSYNCD = "/usr/lib/ipa/ipa-dnskeysyncd"
+IPA_HTTPD_KDCPROXY = "/usr/lib/ipa/ipa-httpd-kdcproxy"
 IPA_ODS_EXPORTER = "/usr/lib/ipa/ipa-ods-exporter"
 HTTPD = "/usr/sbin/apache2ctl"
 REMOVE_DS_PL = "/usr/sbin/remove-ds"
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#582][comment] Remove pkinit from ipa-replica-prepare

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/582
Title: #582: Remove pkinit from ipa-replica-prepare

MartinBasti commented:
"""
Works for me. @abbra @simo5 do you have any objections?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/582#issuecomment-286444597
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#531][comment] httpinstance: disable system trust module in /etc/httpd/alias

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/531
Title: #531: httpinstance: disable system trust module in /etc/httpd/alias

stlaz commented:
"""
It seems to work fine for "mod_nss" reinstalls but `ipa-server-upgrade` is 
currently failing so I can't confirm that's ok.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/531#issuecomment-286446500
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#531][comment] httpinstance: disable system trust module in /etc/httpd/alias

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/531
Title: #531: httpinstance: disable system trust module in /etc/httpd/alias

stlaz commented:
"""
It seems to work fine for "mod_nss" reinstalls but `ipa-server-upgrade` is 
currently failing so I can't confirm that's ok.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/531#issuecomment-286446500
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#531][+ack] httpinstance: disable system trust module in /etc/httpd/alias

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/531
Title: #531: httpinstance: disable system trust module in /etc/httpd/alias

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#582][comment] Remove pkinit from ipa-replica-prepare

2017-03-14 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/582
Title: #582: Remove pkinit from ipa-replica-prepare

abbra commented:
"""
LGTM.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/582#issuecomment-286447734
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#531][-ack] httpinstance: disable system trust module in /etc/httpd/alias

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/531
Title: #531: httpinstance: disable system trust module in /etc/httpd/alias

Label: -ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching

2017-03-14 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/543
Title: #543: Add options to allow ticket caching

tiran commented:
"""
@simo5 please resolve the merge conflict
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/543#issuecomment-286448385
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#582][comment] Remove pkinit from ipa-replica-prepare

2017-03-14 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/582
Title: #582: Remove pkinit from ipa-replica-prepare

HonzaCholasta commented:
"""
The options were available since forever, so I guess you should just hide them 
instead of removing them.

The same options are still available in domain level 0 `ipa-server-install` - 
is this intentional?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/582#issuecomment-286448587
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#517][synchronized] [WIP] Use Custodia 0.3 features

2017-03-14 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/517
Author: tiran
 Title: #517: [WIP] Use Custodia 0.3 features
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/517/head:pr517
git checkout pr517
From dda3378a35020232b95e01e46c18e9850d48e0b6 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 28 Feb 2017 12:07:19 +0100
Subject: [PATCH] Use Custodia 0.3 features

* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
  default setting for IPA's config file. The new file also makes it
  simpler to run IPA's custodia instance with its own SELinux context.
* ipapython no longer depends on custodia

https://pagure.io/freeipa/issue/5825

Signed-off-by: Christian Heimes 
---
 freeipa.spec.in  | 13 -
 init/systemd/Makefile.am |  1 +
 init/systemd/ipa-custodia.service.in |  5 ++---
 install/tools/Makefile.am|  1 +
 install/tools/ipa-custodia   |  6 ++
 ipapython/setup.py   |  1 -
 ipaserver/secrets/service.py | 30 ++
 ipaserver/setup.py   |  1 +
 ipasetup.py.in   |  1 +
 9 files changed, 50 insertions(+), 9 deletions(-)
 create mode 100755 install/tools/ipa-custodia
 create mode 100644 ipaserver/secrets/service.py

diff --git a/freeipa.spec.in b/freeipa.spec.in
index edffa6b..4fe5bfe 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -163,7 +163,8 @@ BuildRequires:  pki-base-python2
 BuildRequires:  python-pytest-multihost
 BuildRequires:  python-pytest-sourceorder
 BuildRequires:  python-jwcrypto
-BuildRequires:  python-custodia
+# 0.3: sd_notify (https://pagure.io/freeipa/issue/5825)
+BuildRequires:  python-custodia >= 0.3
 BuildRequires:  dbus-python
 BuildRequires:  python-dateutil
 BuildRequires:  python-enum34
@@ -199,7 +200,8 @@ BuildRequires:  pki-base-python3
 BuildRequires:  python3-pytest-multihost
 BuildRequires:  python3-pytest-sourceorder
 BuildRequires:  python3-jwcrypto
-BuildRequires:  python3-custodia
+# 0.3: sd_notify (https://pagure.io/freeipa/issue/5825)
+BuildRequires:  python3-custodia >= 0.3
 BuildRequires:  python3-dbus
 BuildRequires:  python3-dateutil
 BuildRequires:  python3-enum34
@@ -318,6 +320,7 @@ BuildArch: noarch
 Requires: %{name}-server-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipaclient = %{version}-%{release}
+Requires: python-custodia >= 0.3
 Requires: python-ldap >= 2.4.15
 Requires: python-lxml
 Requires: python-gssapi >= 1.2.0
@@ -348,6 +351,7 @@ BuildArch: noarch
 Requires: %{name}-server-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python3-ipaclient = %{version}-%{release}
+Requires: python3-custodia >= 0.3
 Requires: python3-pyldap >= 2.4.15
 Requires: python3-lxml
 Requires: python3-gssapi >= 1.2.0
@@ -377,7 +381,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= 2.4.6-31
 Requires: systemd-units >= 38
-Requires: custodia
+Requires: custodia >= 0.3
 
 Provides: %{alt_name}-server-common = %{version}
 Conflicts: %{alt_name}-server-common
@@ -624,7 +628,6 @@ Requires: python-jwcrypto
 Requires: python-cffi
 Requires: python-ldap >= 2.4.15
 Requires: python-requests
-Requires: python-custodia
 Requires: python-dns >= 1.15
 Requires: python-enum34
 Requires: python-netifaces >= 0.10.4
@@ -673,7 +676,6 @@ Requires: python3-six
 Requires: python3-jwcrypto
 Requires: python3-cffi
 Requires: python3-pyldap >= 2.4.15
-Requires: python3-custodia
 Requires: python3-requests
 Requires: python3-dns >= 1.15
 Requires: python3-netifaces >= 0.10.4
@@ -1126,6 +1128,7 @@ fi
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
 %dir %{_libexecdir}/ipa
+%{_libexecdir}/ipa/ipa-custodia
 %{_libexecdir}/ipa/ipa-dnskeysyncd
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
index 325e857..945f6ac 100644
--- a/init/systemd/Makefile.am
+++ b/init/systemd/Makefile.am
@@ -18,5 +18,6 @@ CLEANFILES = $(systemdsystemunit_DATA)
 		-e 's|@IPA_SYSCONF_DIR[@]|$(IPA_SYSCONF_DIR)|g' \
 		-e 's|@localstatedir[@]|$(localstatedir)|g' \
 		-e 's|@sbindir[@]|$(sbindir)|g' \
+		-e 's|@libexecdir[@]|$(libexecdir)|g' \
 		-e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
 		'$(srcdir)/$@.in' >$@
diff --git a/init/systemd/ipa-custodia.service.in b/init/systemd/ipa-custodia.service.in
index 3f9b128..0247bd8 100644
--- a/init/systemd/ipa-custodia.service.in
+++ b/init/systemd/ipa-custodia.service.in
@@ -2,9 +2,8 @@
 Description=IPA Custodia Service
 
 [Service]
-Type=simple
-
-ExecStart=@sbindir@/custodia @IPA_SYSCONF_DIR@/custodia/custodia.conf
+Type=notify
+ExecStart=@libexecdir@/ipa/ipa-custodia @IPA_SYSCONF_DIR@/custodia/cu

[Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features

2017-03-14 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: [WIP] Use Custodia 0.3 features

tiran commented:
"""
sigh, template markers aren't picked up automatically. I fixed 
```init/systemd/Makefile.am```.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/517#issuecomment-286448906
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#582][comment] Remove pkinit from ipa-replica-prepare

2017-03-14 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/582
Title: #582: Remove pkinit from ipa-replica-prepare

abbra commented:
"""
They were in DL0 in `ipa-server-install` for very long time and never worked. 
We left them there to make sure we can get them back to work sometime later. We 
did but in new design `ipa-replica-prepare` does not need to use these options, 
unlike `ipa-server-install`.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/582#issuecomment-286449785
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Standa Laznicka 

On 03/14/2017 03:14 PM, Martin Basti wrote:

On 14.03.2017 14:56, Luc de Louw wrote:

My 3 cents...

"Please note that FIPS 140-2 support may not work on some platforms"

-> Does is work in Fedora? Should be worth mention it so people are
more encouraged to test it in Fedora before its getting to RHEL 7.4

Thanks,

Luc

We cannot guarantee that FIPS mode will work with fedora, any package
update may break it.
Fedora itself is not capable of running in FIPS mode so there's no point 
adding it there.



On 03/14/2017 02:50 PM, Jakub Hrozek wrote:

On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote:

Hello,

DRAFT for FreeIPA 4.5.0 release notes is ready
http://www.freeipa.org/page/Releases/4.5.0

Please update/let me know what is missing, what is extra.

Please update this paragraph:

AD User Short Names

Support for AD users short names has been added. Short
names can be enabled from CLI by setting ipa config-mod
--domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"
or from WebUI under Configuration tab. No manual configuration on SSSD
side is required.


With a note that this feature is not supported by SSSD yet and the work
is tracked with https://pagure.io/SSSD/sssd/issue/3210



--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation

2017-03-14 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/542
Title: #542: Implementation independent interface for CSR generation

tiran commented:
"""
@LiptonB needs rebase
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/542#issuecomment-286452115
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][synchronized] Provide centralized management of user short name resolution

2017-03-14 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/573
Author: martbab
 Title: #573: Provide centralized management of user short name resolution
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/573/head:pr573
git checkout pr573
From 5e9291aaf7dfd92c5983f0bcd80976b1f597ac58 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 9 Mar 2017 14:24:21 +0100
Subject: [PATCH 1/4] Short name resolution: introduce the required schema

Add ipaDomainResolutionOrder and ipaNameResolutionData to IPAv3 schema.
Extend ipaConfig object with ipaNameResolutionData objectclass during
update.

https://pagure.io/freeipa/issue/6372
---
 install/share/60basev3.ldif | 2 ++
 install/updates/50-ipaconfig.update | 1 +
 2 files changed, 3 insertions(+)

diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 059174b..efc6c8a 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -57,6 +57,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#1
 attributeTypes: (2.16.840.1.113730.3.8.11.70 NAME 'ipaPermTargetTo' DESC 'Destination location to move an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' )
 attributeTypes: (2.16.840.1.113730.3.8.11.71 NAME 'ipaPermTargetFrom' DESC 'Source location from where moving an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' )
 attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME 'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name associated with the domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+attributeTypes: (2.16.840.1.113730.3.8.11.77 NAME 'ipaDomainResolutionOrder' DESC 'List of domains used to resolve a short name' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.5')
 attributeTypes: (2.16.840.1.113730.3.8.18.2.1 NAME 'ipaVaultType' DESC 'IPA vault type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2')
 attributeTypes: (2.16.840.1.113730.3.8.18.2.2 NAME 'ipaVaultSalt' DESC 'IPA vault salt' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' )
 # FIXME: https://bugzilla.redhat.com/show_bug.cgi?id=1267782
@@ -84,5 +85,6 @@ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrap
 objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
 objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
 objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' )
+objectClasses: (2.16.840.1.113730.3.8.12.39 NAME 'ipaNameResolutionData' DESC 'Data used to resolve short names to fully-qualified form' SUP top AUXILIARY MAY ( ipaDomainResolutionOrder ) X-ORIGIN 'IPA v4.5')
 objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ ipaVaultType $ ipaVaultSalt $ ipaVaultPublicKey $ owner $ member ) X-ORIGIN 'IPA v4.2' )
 objectClasses: (2.16.840.1.113730.3.8.18.1.2 NAME 'ipaVaultContainer' DESC 'IPA vault container' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ owner ) X-ORIGIN 'IPA v4.2' )
diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update
index 89a1726..23d2919 100644
--- a/install/updates/50-ipaconfig.update
+++ b/install/updates/50-ipaconfig.update
@@ -4,3 +4,4 @@ add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
 add:ipaUserObjectClasses: ipasshuser
 remove:ipaConfigString:AllowLMhash
 add:objectClass: ipaUserAuthTypeClass
+add:objectClass: ipaNameResolutionData

From f1affc6f2ca6f892e7ea8b49a070fb398daa88f2 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 9 Mar 2017 18:14:52 +0100
Subject: [PATCH 2/4] ipaconfig: add the ability to manipulate domain
 resolution order

optional attribute was added to config object along with validator that
check for valid domain names and also checks whether the specified
domains exist in FreeIPA or in trusted forests and, in case of trusted
domains, are not disabled.

Part of http://www.freeipa.org/page/V4/AD_User_Short_Names

https://pagure.io/freeipa/issue/6372
---
 ACI.txt |   2 +-
 API.txt |   3 +-
 VERSION.m4  |   4 +-
 ipaserver/plugins/config.py | 115 +++-
 4 files changed, 118 insertions(+), 6 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index a36d460..c6

[Freeipa-devel] [freeipa PR#573][synchronized] Provide centralized management of user short name resolution

2017-03-14 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/573
Author: martbab
 Title: #573: Provide centralized management of user short name resolution
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/573/head:pr573
git checkout pr573
From 5e9291aaf7dfd92c5983f0bcd80976b1f597ac58 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 9 Mar 2017 14:24:21 +0100
Subject: [PATCH 1/4] Short name resolution: introduce the required schema

Add ipaDomainResolutionOrder and ipaNameResolutionData to IPAv3 schema.
Extend ipaConfig object with ipaNameResolutionData objectclass during
update.

https://pagure.io/freeipa/issue/6372
---
 install/share/60basev3.ldif | 2 ++
 install/updates/50-ipaconfig.update | 1 +
 2 files changed, 3 insertions(+)

diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 059174b..efc6c8a 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -57,6 +57,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#1
 attributeTypes: (2.16.840.1.113730.3.8.11.70 NAME 'ipaPermTargetTo' DESC 'Destination location to move an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' )
 attributeTypes: (2.16.840.1.113730.3.8.11.71 NAME 'ipaPermTargetFrom' DESC 'Source location from where moving an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' )
 attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME 'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name associated with the domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+attributeTypes: (2.16.840.1.113730.3.8.11.77 NAME 'ipaDomainResolutionOrder' DESC 'List of domains used to resolve a short name' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.5')
 attributeTypes: (2.16.840.1.113730.3.8.18.2.1 NAME 'ipaVaultType' DESC 'IPA vault type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2')
 attributeTypes: (2.16.840.1.113730.3.8.18.2.2 NAME 'ipaVaultSalt' DESC 'IPA vault salt' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' )
 # FIXME: https://bugzilla.redhat.com/show_bug.cgi?id=1267782
@@ -84,5 +85,6 @@ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrap
 objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
 objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
 objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' )
+objectClasses: (2.16.840.1.113730.3.8.12.39 NAME 'ipaNameResolutionData' DESC 'Data used to resolve short names to fully-qualified form' SUP top AUXILIARY MAY ( ipaDomainResolutionOrder ) X-ORIGIN 'IPA v4.5')
 objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ ipaVaultType $ ipaVaultSalt $ ipaVaultPublicKey $ owner $ member ) X-ORIGIN 'IPA v4.2' )
 objectClasses: (2.16.840.1.113730.3.8.18.1.2 NAME 'ipaVaultContainer' DESC 'IPA vault container' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ owner ) X-ORIGIN 'IPA v4.2' )
diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update
index 89a1726..23d2919 100644
--- a/install/updates/50-ipaconfig.update
+++ b/install/updates/50-ipaconfig.update
@@ -4,3 +4,4 @@ add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
 add:ipaUserObjectClasses: ipasshuser
 remove:ipaConfigString:AllowLMhash
 add:objectClass: ipaUserAuthTypeClass
+add:objectClass: ipaNameResolutionData

From f1affc6f2ca6f892e7ea8b49a070fb398daa88f2 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 9 Mar 2017 18:14:52 +0100
Subject: [PATCH 2/4] ipaconfig: add the ability to manipulate domain
 resolution order

optional attribute was added to config object along with validator that
check for valid domain names and also checks whether the specified
domains exist in FreeIPA or in trusted forests and, in case of trusted
domains, are not disabled.

Part of http://www.freeipa.org/page/V4/AD_User_Short_Names

https://pagure.io/freeipa/issue/6372
---
 ACI.txt |   2 +-
 API.txt |   3 +-
 VERSION.m4  |   4 +-
 ipaserver/plugins/config.py | 115 +++-
 4 files changed, 118 insertions(+), 6 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index a36d460..c6

[Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution

2017-03-14 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution

martbab commented:
"""
PR rebased, I have fixed bugs in ID view objectclass handling and re-used the 
trusted domain retrieval code in certmap plugin. This is a separate commit so 
it can be removed if necessary.

I have noticed that with current PR we can not add the domain resolution order 
to Default Trust View, as it is protected from both modification and removal. 
@abbra is this expected also in this case? 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/573#issuecomment-286454496
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Rob Crittenden 
Standa Laznicka wrote:
> On 03/14/2017 03:14 PM, Martin Basti wrote:
>> On 14.03.2017 14:56, Luc de Louw wrote:
>>> My 3 cents...
>>>
>>> "Please note that FIPS 140-2 support may not work on some platforms"
>>>
>>> -> Does is work in Fedora? Should be worth mention it so people are
>>> more encouraged to test it in Fedora before its getting to RHEL 7.4
>>>
>>> Thanks,
>>>
>>> Luc
>> We cannot guarantee that FIPS mode will work with fedora, any package
>> update may break it.
> Fedora itself is not capable of running in FIPS mode so there's no point
> adding it there.

I can't believe this is correct. Did you try it and it failed? Did you
file bugs?

The dracut-fips and dracut-fips-aesni packages are both available.

# cat /etc/redhat-release
Fedora release 25 (Twenty Five)
# sysctl crypto.fips_enabled
crypto.fips_enabled = 0

So the basic stuff is there and the kernel knows what FIPS is.

Any NSS-based application can enable FIPS-mode independently of the
kernel via modutil or application-specific settings (e.g. NSSFIPS in
mod_nss).

rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution

2017-03-14 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution

abbra commented:
"""
Yes, it is expected too. Remember that 'Default Trust View' is a view that 
applies globally. You have already global setting to apply.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/573#issuecomment-286456329
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Martin Basti 


On 14.03.2017 14:50, Jakub Hrozek wrote:
> On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote:
>> Hello,
>>
>> DRAFT for FreeIPA 4.5.0 release notes is ready
>> http://www.freeipa.org/page/Releases/4.5.0
>>
>> Please update/let me know what is missing, what is extra.
> Please update this paragraph:
> 
> AD User Short Names
>
> Support for AD users short names has been added. Short
> names can be enabled from CLI by setting ipa config-mod
> --domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"
> or from WebUI under Configuration tab. No manual configuration on SSSD
> side is required.
> 
>
> With a note that this feature is not supported by SSSD yet and the work
> is tracked with https://pagure.io/SSSD/sssd/issue/3210
>
I updated that section. Shouldn't we remove it completely from release
notes because it will not work until new SSSD is released?



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#583][synchronized] ipaplatform/debian/services: Fix is_running arguments.

2017-03-14 Thread tjaalton 
   URL: https://github.com/freeipa/freeipa/pull/583
Author: tjaalton
 Title: #583: ipaplatform/debian/services: Fix is_running arguments.
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/583/head:pr583
git checkout pr583
From fb4ea5c5411de2bddbdfa9a1a8304dc641dd1924 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 14 Mar 2017 16:32:22 +0200
Subject: [PATCH 1/3] ipaplatform/debian/services: Fix is_running arguments.

---
 ipaplatform/debian/services.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaplatform/debian/services.py b/ipaplatform/debian/services.py
index 85fba56..5eef5ff 100644
--- a/ipaplatform/debian/services.py
+++ b/ipaplatform/debian/services.py
@@ -72,7 +72,7 @@ def restart(self, instance_name='', capture_output=True, wait=True):
 if wait and self.is_running(instance_name):
 self.__wait_for_open_ports(instance_name)
 
-def is_running(self, instance_name=""):
+def is_running(self, instance_name="", wait=True):
 ret = True
 try:
 result = ipautil.run([paths.SBIN_SERVICE,

From ce487555d0b0dcf59b75a0b828306bee2e065447 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 14 Mar 2017 16:43:22 +0200
Subject: [PATCH 2/3] ipaplatform/debian/paths: Add IPA_HTTPD_KDCPROXY.

---
 ipaplatform/debian/paths.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
index ad0e13c..1f1b9a7 100644
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -71,6 +71,7 @@ class DebianPathNamespace(BasePathNamespace):
 GENERATE_RNDC_KEY = "/bin/true"
 IPA_DNSKEYSYNCD_REPLICA = "/usr/lib/ipa/ipa-dnskeysync-replica"
 IPA_DNSKEYSYNCD = "/usr/lib/ipa/ipa-dnskeysyncd"
+IPA_HTTPD_KDCPROXY = "/usr/lib/ipa/ipa-httpd-kdcproxy"
 IPA_ODS_EXPORTER = "/usr/lib/ipa/ipa-ods-exporter"
 HTTPD = "/usr/sbin/apache2ctl"
 REMOVE_DS_PL = "/usr/sbin/remove-ds"

From a0e1b818239720f0d523a2a87065cc8e4c26bb21 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 14 Mar 2017 17:24:56 +0200
Subject: [PATCH 3/3] ipaplatform/debian/paths: Rename IPA_KEYTAB to
 OLD_IPA_KEYTAB.

---
 ipaplatform/debian/paths.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
index 1f1b9a7..e661a8d 100644
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -26,7 +26,7 @@ class DebianPathNamespace(BasePathNamespace):
 HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
 HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
 HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
-IPA_KEYTAB = "/etc/apache2/ipa.keytab"
+OLD_IPA_KEYTAB = "/etc/apache2/ipa.keytab"
 HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
 NAMED_CONF = "/etc/bind/named.conf"
 NAMED_VAR_DIR = "/var/cache/bind"
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#538][synchronized] Run test_ipaclient test suite

2017-03-14 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/538
Author: tiran
 Title: #538: Run test_ipaclient test suite
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/538/head:pr538
git checkout pr538
From 212ed186e60b1aa757c38b2f18780137d5e41dbf Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 3 Mar 2017 12:57:21 +0100
Subject: [PATCH] Run test_ipaclient test suite

Signed-off-by: Christian Heimes 
---
 .travis.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.travis.yml b/.travis.yml
index 04b766b..1a8f1b3 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -21,6 +21,7 @@ env:
 - TASK_TO_RUN="run-tests"
   TESTS_TO_RUN="test_cmdline
 test_install
+test_ipaclient
 test_ipalib
 test_ipapython
 test_ipaserver
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#531][+ack] httpinstance: disable system trust module in /etc/httpd/alias

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/531
Title: #531: httpinstance: disable system trust module in /etc/httpd/alias

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#584][opened] Improve the implementation of PKINIT certificate retrieval

2017-03-14 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/584
Author: martbab
 Title: #584: Improve the implementation of PKINIT certificate retrieval
Action: opened

PR body:
"""
The original PKINIT cert request code contained numerous defects, namely:

   * nearly absent handling of rejected requests and CA errors which resulted
 e.g. in an unusable WebUI after replica installation
 and
   * certificate request logic that was not consistent with the rest of the
 installers (DS, HTTP for example): what caused hard errors in their case
 went unnoticed in PKINIT setup

This PR consolidates this code so that errors arising from CA rejecting the
PKINIT cert request cause the installers to abort immediately. The PKINIT step
was also split into a separate method executed before LDAP updates. The name
was chosen to be `enable_ssl` in order to make the planned refactoring of
certificate requesting code (https://pagure.io/freeipa/issue/6429) easier: the
method name is not accurate but at least it is consistent with e.g. LDAP
installer co the common code can be grepper with greater ease.

https://pagure.io/freeipa/issue/6739
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/584/head:pr584
git checkout pr584
From 596e3e22a4436d75973c44e48378b1b509c30867 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 14 Mar 2017 09:56:07 +0100
Subject: [PATCH 1/4] Make PKINIT certificate request logic consistent with
 other installers

The certmonger request handling code during pkinit setup actually never
correctly handled situations when certificate request was rejected by
the CA or CA was unreachable. This led to subtle errors caused by broken
anonymous pkinit (e.g. failing WebUI logins) which are hard to debug.

The code should behave as other service installers, e. g. use
`request_and_wait_for_cert` method which raises hard error when request
times out or is not granted by CA. On master contact Dogtag CA endpoint
directly as is done in DS installation.

https://pagure.io/freeipa/issue/6739
---
 ipaserver/install/krbinstance.py | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 08d39e2..c74fe40 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -357,10 +357,15 @@ def setup_pkinit(self):
 subject = str(DN(('cn', self.fqdn), self.subject_base))
 krbtgt = "krbtgt/" + self.realm + "@" + self.realm
 certpath = (paths.KDC_CERT, paths.KDC_KEY)
+
 try:
-reqid = certmonger.request_cert(certpath, subject, krbtgt,
-dns=self.fqdn, storage='FILE',
-profile='KDCs_PKINIT_Certs')
+certmonger.request_and_wait_for_cert(
+certpath,
+subject,
+krbtgt,
+dns=self.fqdn,
+storage='FILE',
+profile='KDCs_PKINIT_Certs')
 except dbus.DBusException as e:
 # if the certificate is already tracked, ignore the error
 name = e.get_dbus_name()
@@ -368,11 +373,6 @@ def setup_pkinit(self):
 root_logger.error("Failed to initiate the request: %s", e)
 return
 
-try:
-certmonger.wait_for_request(reqid)
-except RuntimeError as e:
-root_logger.error("Failed to wait for request: %s", e)
-
 # Finally copy the cacert in the krb directory so we don't
 # have any selinux issues with the file context
 shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)

From 73f8676e8b49e8f76883c57fd1e6618e00cab94c Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 14 Mar 2017 13:16:07 +0100
Subject: [PATCH 2/4] Request PKINIT cert directly from Dogtag API on first
 master

On the first master the framework may not be fully functional to server
certificate requests. It is safer to configure helper that contacts
Dogtag REST API directly.

https://pagure.io/freeipa/issue/6739
---
 ipaserver/install/krbinstance.py | 16 
 1 file changed, 16 insertions(+)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index c74fe40..5f2a4b1 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -68,6 +68,7 @@ def __init__(self, fstore=None):
 self.kdc_password = None
 self.sub_dict = None
 self.pkcs12_info = None
+self.master_fqdn = None
 
 suffix = ipautil.dn_attribute_property('_suffix')
 subject_base = ipautil.dn_attribute_property('_subject_base')
@@ -359,6 +360,18 @@ def setup_pkinit(self):
 certpath = (paths.KDC_CERT, paths.KDC_KEY)
 
 try:
+prev_helper = None
+

[Freeipa-devel] [freeipa PR#531][comment] httpinstance: disable system trust module in /etc/httpd/alias

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/531
Title: #531: httpinstance: disable system trust module in /etc/httpd/alias

stlaz commented:
"""
I rebased your patchset on current master and put the uninstallation of 
`ipa_memcached` into a multipass block and all seems to work now.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/531#issuecomment-286457931
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Standa Laznicka 

On 03/14/2017 04:21 PM, Rob Crittenden wrote:

Standa Laznicka wrote:

On 03/14/2017 03:14 PM, Martin Basti wrote:

On 14.03.2017 14:56, Luc de Louw wrote:

My 3 cents...

"Please note that FIPS 140-2 support may not work on some platforms"

-> Does is work in Fedora? Should be worth mention it so people are
more encouraged to test it in Fedora before its getting to RHEL 7.4

Thanks,

Luc

We cannot guarantee that FIPS mode will work with fedora, any package
update may break it.

Fedora itself is not capable of running in FIPS mode so there's no point
adding it there.

I can't believe this is correct. Did you try it and it failed? Did you
file bugs?

Yes, yes and no. Please see the header at this page:
https://fedoraproject.org/wiki/FedoraCryptoConsolidation

We tried to set up Fedora for FIPS in RHEV but the machine would not 
even start.


The dracut-fips and dracut-fips-aesni packages are both available.

# cat /etc/redhat-release
Fedora release 25 (Twenty Five)
# sysctl crypto.fips_enabled
crypto.fips_enabled = 0

So the basic stuff is there and the kernel knows what FIPS is.

Any NSS-based application can enable FIPS-mode independently of the
kernel via modutil or application-specific settings (e.g. NSSFIPS in
mod_nss).

rob



--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

  1   2   >