Re: [Freeipa-devel] [PATCH] 468 Make ipa-client-automount backwards compatible
On 04/01/2014 07:33 PM, Rob Crittenden wrote: Martin Kosek wrote: ipa-client-automount calls automountlocation-show command during the process. Unfortunately, FreeIPA commands are forward compatible only and thus fail the installer. Similarly to ipa-client-install, call XML-RPC interface directly with version fixed to 2.0 (command was already available at that version) to fix the failure. https://fedorahosted.org/freeipa/ticket/4290 ACK. Tested F-20 client against RHEL 6.5 server. rob Thanks. Pushed to: master: 66fb4d5e849a049e95d3ef4fcf2b86217488634d ipa-3-3: ee2fac9bee6728facfa4525b8f97585f7030a14c Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 260 Fix update_ca_renewal_master plugin on CA-less installs
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/4294.
Honza
--
Jan Cholasta
From b0e3b7c855b517ef75abd3d9eac4d5db63ef4767 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Wed, 2 Apr 2014 10:28:00 +0200
Subject: [PATCH] Fix update_ca_renewal_master plugin on CA-less installs.
This also fixes updates from ancient versions of IPA which did not have
automatic CA subsystem certificate renewal.
https://fedorahosted.org/freeipa/ticket/4294
---
ipaserver/install/plugins/ca_renewal_master.py | 79 +-
1 file changed, 53 insertions(+), 26 deletions(-)
diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py
index 2481fa7..b2a7ba7 100644
--- a/ipaserver/install/plugins/ca_renewal_master.py
+++ b/ipaserver/install/plugins/ca_renewal_master.py
@@ -18,9 +18,10 @@
# along with this program. If not, see http://www.gnu.org/licenses/.
from ipaserver.install.plugins.baseupdate import PostUpdate
+from ipaserver.install import installutils, certs, cainstance
from ipalib import errors
from ipalib.plugable import Registry
-from ipapython import certmonger
+from ipapython import certmonger, dogtag
from ipapython.dn import DN
register = Registry()
@@ -32,6 +33,11 @@ class update_ca_renewal_master(PostUpdate):
def execute(self, **options):
+ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR)
+if not ca.is_configured():
+self.debug(CA is not configured on this host)
+return (False, False, [])
+
ldap = self.obj.backend
base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
self.api.env.basedn)
@@ -50,30 +56,51 @@ class update_ca_renewal_master(PostUpdate):
('cert_nickname', 'ipaCert', None),
)
request_id = certmonger.get_request_id(criteria)
-if request_id is None:
-self.error(certmonger request for ipaCert not found)
-return (False, False, [])
-ca_name = certmonger.get_request_value(request_id, 'ca_name')
-if ca_name is None:
-self.error(certmonger request for ipaCert is missing ca_name)
-return (False, False, [])
-ca_name = ca_name.strip()
+if request_id is not None:
+self.debug(found certmonger request for ipaCert)
-if ca_name == 'dogtag-ipa-renew-agent':
-dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
-update = {
-dn: {
-'dn': dn,
-'updates': ['add:ipaConfigString: caRenewalMaster'],
-},
-}
-return (False, True, [update])
-elif ca_name == 'dogtag-ipa-retrieve-agent-submit':
-return (False, False, [])
-elif ca_name == 'dogtag-ipa-ca-renew-agent':
-return (False, False, [])
+ca_name = certmonger.get_request_value(request_id, 'ca_name')
+if ca_name is None:
+self.warning(
+certmonger request for ipaCert is missing ca_name,
+assuming local CA is renewal slave)
+return (False, False, [])
+ca_name = ca_name.strip()
+
+if ca_name == 'dogtag-ipa-renew-agent':
+pass
+elif ca_name == 'dogtag-ipa-retrieve-agent-submit':
+return (False, False, [])
+elif ca_name == 'dogtag-ipa-ca-renew-agent':
+return (False, False, [])
+else:
+self.warning(
+certmonger request for ipaCert has unknown ca_name '%s',
+assuming local CA is renewal slave, ca_name)
+return (False, False, [])
else:
-self.warning(
-certmonger request for ipaCert has unknown ca_name \%s\,
-assuming local CA is renewal slave, ca_name)
-return (False, False, [])
+self.debug(certmonger request for ipaCert not found)
+
+config = installutils.get_directive(
+dogtag.configured_constants().CS_CFG_PATH,
+'subsystem.select', '=')
+
+if config == 'New':
+pass
+elif config == 'Clone':
+return (False, False, [])
+else:
+self.warning(
+CS.cfg has unknown subsystem.select value '%s',
+assuming local CA is renewal slave, config)
+return (False, False, [])
+
+dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
+update = {
+dn: {
+'dn': dn,
+'updates': ['add:ipaConfigString: caRenewalMaster'],
+},
+}
+
+return (False, True, [update])
--
1.8.5.3
___
Freeipa-devel mailing list
[Freeipa-devel] [PATCH 0001] Add basic trust and legacy client integration tests
Hi,
this adds basic trust and legacy client integration tests to our Jenkins
jobs repo.
--
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
From 3dc23d1f4ee312e01eafb9677af2d97fdc40845b Mon Sep 17 00:00:00 2001
From: Tomas Babej tomasba...@gmail.com
Date: Tue, 1 Apr 2014 14:43:05 +0200
Subject: [PATCH] Add basic trust and legacy client integration tests
---
README| 4
jenkins-job-builder/freeipa-jobs.yaml | 38 +++
2 files changed, 42 insertions(+)
diff --git a/README b/README
index 595a041df9d52cd7b4e3a9ee5f3d752f31bb4f91..952baf22a9216eb027bb2361d6e4078409974ca7 100644
--- a/README
+++ b/README
@@ -101,6 +101,10 @@ prepare-hosts:
any other configuration.
It also installs built packages on the machines. These are found
in ./dist/rpms when prepare-hosts runs.
+It also handles the assigment of static test nodes. These are
+specified by using special role names, such as TRUST_IPA for IPA domain
+that AD is configured to establish trusts with, or trust_master for the
+actual IPA master. These fake values are substituted by the script.
Output can be YAML or JSON.
shutdown-hosts
diff --git a/jenkins-job-builder/freeipa-jobs.yaml b/jenkins-job-builder/freeipa-jobs.yaml
index 95f767496ff9106cbc92cc22d69619141e00f104..8d9aa4bfa9768b92c1495a2fca40f9d2fde7de5e 100644
--- a/jenkins-job-builder/freeipa-jobs.yaml
+++ b/jenkins-job-builder/freeipa-jobs.yaml
@@ -432,6 +432,44 @@
role: client
name: ipa.test
type: IPA
+- freeipa-integration-{os}-{pretty_name}:
+pretty_name: basic_trust
+suite: test_integration/test_trust.py
+config_template: |
+domains:
+ - hosts:
+ - name: master.ipa.test
+role: trust_master
+name: ipa.test
+type: TRUST_IPA
+ - hosts:
+ - name: ad
+role: ad
+name: ad.test
+type: AD
+- freeipa-integration-{os}-{pretty_name}:
+pretty_name: legacy_clients
+suite: test_integration/test_legacy_clients.py
+config_template: |
+domains:
+ - hosts:
+ - name: master.ipa.test
+role: trust_master
+ - name: legacy_client_sssd_redhat.ipa.test
+role: legacy_client_sssd_redhat
+ - name: legacy_client_nss_ldap_redhat.ipa.test
+role: legacy_client_nss_ldap_redhat
+ - name: legacy_client_nss_pam_ldapd_redhat.ipa.test
+role: legacy_client_nss_pam_ldapd_redhat
+name: ipa.test
+type: TRUST_IPA
+ - hosts:
+ - name: ad.ad.test
+role: ad
+ - name: child.child.ad.test
+role: ad_subdomain
+name: ad.test
+type: AD
- job-template:
name: freeipa-stats-{os}
--
1.8.5.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0161] ipa-range-check: Fix memory leaks when freeing range object
On 04/01/2014 12:03 PM, Jan Pazdziora wrote: On Tue, Apr 01, 2014 at 10:05:39AM +0200, Tomas Babej wrote: Yes, that was the intention. Mistake on my part, I'll send updated patches. Updated patch attached. Ack based on reading the code and documentation for slapi_ch_free_string. Ok, thanks. Though I would like this patch to be also functionally tested that it does not break anything, ideally together with your other ipa-range patches. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0161] ipa-range-check: Fix memory leaks when freeing range object
On Wed, 02 Apr 2014, Martin Kosek wrote: On 04/01/2014 12:03 PM, Jan Pazdziora wrote: On Tue, Apr 01, 2014 at 10:05:39AM +0200, Tomas Babej wrote: Yes, that was the intention. Mistake on my part, I'll send updated patches. Updated patch attached. Ack based on reading the code and documentation for slapi_ch_free_string. Ok, thanks. Though I would like this patch to be also functionally tested that it does not break anything, ideally together with your other ipa-range patches. It is on my test list, don't worry. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0017] Add wait_for_dns option to default.conf
Hello,
Add wait_for_dns option to default.conf.
This option makes record changes in DNS tree synchronous.
IPA calls will wait until new data are visible over DNS protocol
or until timeout.
It is intended only for testing. It should prevent tests from
failing if there is bigger delay between changes in LDAP and DNS.
My personal recommendation is to use value 5 (for testing!).
--
Petr^2 Spacek
From 5509f954308b910a8b100aaf14239202f6635762 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Wed, 2 Apr 2014 11:04:07 +0200
Subject: [PATCH] Add wait_for_dns option to default.conf.
This option makes record changes in DNS tree synchronous.
IPA calls will wait until new data are visible over DNS protocol
or until timeout.
It is intended only for testing. It should prevent tests from
failing if there is bigger delay between changes in LDAP and DNS.
---
ipa-client/man/default.conf.5 | 9 ++
ipalib/constants.py | 1 +
ipalib/errors.py | 18
ipalib/plugins/dns.py | 217 +-
4 files changed, 241 insertions(+), 4 deletions(-)
diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5
index 5d5a48db62cb97e7424b42b6cb70d0c872b2bc34..c1ccf109e874907885fc3b51b63507c2b46b64ab 100644
--- a/ipa-client/man/default.conf.5
+++ b/ipa-client/man/default.conf.5
@@ -178,6 +178,15 @@ Used internally in the IPA source package to verify that the API has not changed
.B verbose boolean
When True provides more information. Specifically this sets the global log level to info.
.TP
+.B wait_for_dns number of attempts
+Controls whether the IPA commands dnsrecord\-{add,mod,del} work synchronously or not. The DNS commands will repeat DNS queries up to the specified number of attempts until the DNS server returns an up-to-date answer to a query for modified records. Delay between retries is one second.
+.IP
+The DNS commands will raise a DNSDataMismatch exception if the answer doesn't match the expected value even after the specified number of attempts.
+.IP
+The DNS queries will be sent to the resolver configured in /etc/resolv.conf on the IPA server.
+.IP
+Do not enable this in production! This will cause problems if the resolver on IPA server uses a caching server instead of a local authoritative server or e.g. if DNS answers are modified by DNS64. The default is disabled (the option is not present).
+.TP
.B xmlrpc_uri URI
Specifies the URI of the XML\-RPC server for a client. This may be used by IPA, and is used by some external tools, such as ipa\-getcert. Example: https://ipa.example.com/ipa/xml
.TP
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 8fc04afcd5cb996830d81e2e9b9dcf3f58034ef2..6cc50eacf44678840ad0048a1ef60c05736879cb 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -139,6 +139,7 @@ DEFAULT_CONFIG = (
('debug', False),
('startup_traceback', False),
('mode', 'production'),
+('wait_for_dns', False),
# CA plugin:
('ca_host', FQDN), # Set in Env._finalize_core()
diff --git a/ipalib/errors.py b/ipalib/errors.py
index 716decb2b41baf5470a1dc23c0cfb5d1c995e5ff..311127f62e54017c85541d27276020a9f950ab0f 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1512,6 +1512,24 @@ class DatabaseTimeout(DatabaseError):
format = _('LDAP timeout')
+class DNSDataMismatch(ExecutionError):
+
+**4212** Raised when an DNS query didn't return expected answer
+in a configured time limit.
+
+For example:
+
+ raise DNSDataMismatch(expected=zone3.test. 86400 IN A 192.0.2.1, \
+ got=zone3.test. 86400 IN A 192.168.1.1)
+Traceback (most recent call last):
+ ...
+DNSDataMismatch: DNS check failed: Expected {zone3.test. 86400 IN A 192.0.2.1} got {zone3.test. 86400 IN A 192.168.1.1}
+
+
+errno = 4212
+format = _('DNS check failed: Expected {%(expected)s} got {%(got)s}')
+
+
class CertificateError(ExecutionError):
**4300** Base class for Certificate execution errors (*4300 - 4399*).
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index c1b1b643420b190897f9c925eaa17d51c5082348..876f376195c8026546c1160ba9a6678390a40f2e 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -24,6 +24,7 @@ import netaddr
import time
import re
import dns.name
+import dns.resolver
from ipalib.request import context
from ipalib import api, errors, output
@@ -248,6 +249,12 @@ _record_attributes = [str('%srecord' % t.lower()) for t in _record_types]
# supported DNS classes, IN = internet, rest is almost never used
_record_classes = (u'IN', u'CS', u'CH', u'HS')
+# IN record class
+_IN = dns.rdataclass.IN
+
+# NS record type
+_NS = dns.rdatatype.from_text('NS')
+
def _rname_validator(ugettext, zonemgr):
try:
validate_zonemgr(zonemgr)
@@ -2397,6 +2404,178 @@ class dnsrecord(LDAPObject):
'NS record except when located in a zone root '
Re: [Freeipa-devel] [PATCH 0017] Add wait_for_dns option to default.conf
On 2.4.2014 14:36, Petr Spacek wrote: Hello, Add wait_for_dns option to default.conf. This option makes record changes in DNS tree synchronous. IPA calls will wait until new data are visible over DNS protocol or until timeout. It is intended only for testing. It should prevent tests from failing if there is bigger delay between changes in LDAP and DNS. My personal recommendation is to use value 5 (for testing!). Ah, my hands were faster than head :-) This patch was supersedes patch my patch 0015 and should apply to vanilla master (at the moment). -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0015] Add wait_for_dns option to default.conf
On 28.3.2014 09:43, Martin Kosek wrote:
On 03/28/2014 09:37 AM, Petr Viktorin wrote:
On 03/27/2014 05:44 PM, Petr Spacek wrote:
On 27.3.2014 13:15, Martin Kosek wrote:
On 02/20/2014 03:56 PM, Martin Basti wrote:
On Thu, 2014-02-20 at 14:36 +0100, Petr Spacek wrote:
On 19.2.2014 17:55, Martin Basti wrote:
On Wed, 2014-02-19 at 17:10 +0100, Petr Spacek wrote:
On 19.2.2014 15:11, Petr Spacek wrote:
On 18.2.2014 17:34, Nathaniel McCallum wrote:
On Tue, 2014-02-18 at 17:06 +0100, Petr Viktorin wrote:
On 02/18/2014 04:45 PM, Petr Spacek wrote:
Hello,
Add wait_for_dns option to default.conf.
This option makes record changes in DNS tree synchronous.
IPA calls will wait until new data are visible over DNS protocol.
It is intended only for testing - it should prevent tests from
failing if there is bigger delay between change in LDAP and DNS.
I would recommend value like 10 seconds.
Here are a few Python nitpicks you requested.
Thank you very much. This new version solves problems you found +
adds proper
handling for real DNS timeouts.
It seems to me like a more general TimeoutError would be useful
in a
broader context. DNSTimeout seems overly narrow to me, unless I'm
missing something.
I would like to keep them separate. DNSTimeout shouldn't be
handled at all
because it means that your DNS server or database is dead or
broken in some
interesting way.
I assume that generic TimeoutError could be interpreted as 'try it
again'/'failover' or something like that.
Maybe the DNSTimeout is not the best name, I'm open to suggestions.
I have sent the old version with new name, gggrrr.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Tests failed:
test_dns[92]: dnsrecord_add: Add A record to u'ns2' in zone
u'zone3.test' ... ok
File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in
runTest
self.test(*self.arg)
File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line
291, in
lambda
func = lambda: self.check(nice, **test)
File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line
309, in
check
self.check_output(nice, cmd, args, options, expected,
extra_check)
File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line
348, in
check_output
got = api.Command[cmd](*args, **options)
File /root/freeipa/ipalib/frontend.py, line 436, in __call__
ret = self.run(*args, **options)
File /root/freeipa/ipalib/frontend.py, line 761, in run
return self.forward(*args, **options)
File /root/freeipa/ipalib/frontend.py, line 782, in forward
return self.Backend.rpcclient.forward(self.name, *args, **kw)
File /root/freeipa/ipalib/rpc.py, line 836, in forward
return self._call_command(command, params)
File /root/freeipa/ipalib/rpc.py, line 813, in _call_command
return command(*params)
File /root/freeipa/ipalib/rpc.py, line 951, in _call
return self.__request(name, args)
File /root/freeipa/ipalib/rpc.py, line 945, in __request
raise error_class(message=error['message'])
DNSTimeout: DNS query timeout: Expected {_kerberos.zone2.test.
86400 IN
TXT IDM.LAB.ENG.BRQ.REDHAT.COM} got {SERVFAIL}
==
ERROR: test_dns[51]: dnsrecord_add: Add NS+DNAME record to
u'zone2.test'
zone record using dnsrecord_add
--
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in
runTest
self.test(*self.arg)
File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line
291, in
lambda
func = lambda: self.check(nice, **test)
File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line
309, in
check
self.check_output(nice, cmd, args, options, expected,
extra_check)
File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line
348, in
check_output
got = api.Command[cmd](*args, **options)
File /root/freeipa/ipalib/frontend.py, line 436, in __call__
ret = self.run(*args, **options)
File /root/freeipa/ipalib/frontend.py, line 761, in run
return self.forward(*args, **options)
File /root/freeipa/ipalib/frontend.py, line 782, in forward
return self.Backend.rpcclient.forward(self.name, *args, **kw)
File /root/freeipa/ipalib/rpc.py, line 836, in forward
return self._call_command(command, params)
File /root/freeipa/ipalib/rpc.py, line 813, in _call_command
return command(*params)
File /root/freeipa/ipalib/rpc.py, line 951, in _call
return self.__request(name, args)
File /root/freeipa/ipalib/rpc.py, line 945, in __request
raise error_class(message=error['message'])
DNSTimeout: DNS query timeout: Expected {zone2.test. 86400 IN NS
ns1.dnszone.test.
zone2.test. 86400 IN NS ns1.zone2.test.} got {SERVFAIL}
Re: [Freeipa-devel] [PATCH 0001] Add basic trust and legacy client integration tests
On 04/02/2014 01:34 PM, Tomas Babej wrote: Hi, this adds basic trust and legacy client integration tests to our Jenkins jobs repo. Thanks! Pushed to master at https://github.com/encukou/freeipa-ci -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 565-568 webui: field and widget binding refactoring
On Thu, 27 Mar 2014 16:07:55 +0100 Petr Vobornik pvobo...@redhat.com wrote: The last refactoring I did while implementing RCUE login or more precisely support for standalone facets which have forms but are not details facets. [PATCH] webui: field and widget binding refactoring This is a Web UI wide change. Fields and Widgets binding was refactored to enable proper two-way binding between them. This should allow to have one source of truth (field) for multiple consumers - widgets or something else. One of the goal is to have fields and widget implementations independent on each other. So that one could use a widget without field or use one field for multiple widgets, etc.. Basically a fields logic was split into separate components: - adapters - parsers formatters - binder Adapters - extract data from data source (FreeIPA RPC command result) - prepares them for commands. Parsers - parse extracted data to format expected by field - parse widget value to format expected by field Formatters - format field value to format suitable for widgets - format field value to format suitable for adapter Binder - is a communication bridge between field and widget - listens to field's and widget's events and call appropriate methods Some side benefits: - better validation reporting in multivalued widget [PATCH] webui: replace widget's hidden property with visible Hidden was used only in ACI. There is no reason to have two properties which are negations of each other. [PATCH] webui: change widget updated event into value change event This change allow us to use proper two way binding between a field and a widget. In previous implementation field was not changed if something changed the value of a widget in 'update'. Now listeners are notified when the widget value is changed by: calling 'update', 'set_value' or by user change. [PATCH] webui-tests: binding test suite Add basic tests for two-way binding between a field and two widgets Integration tests and unit tests ran as expected, looking through the code, and manually testing it confirmed that, so ACK Greets Adam ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 241-253 CA certificate renewal
Jan Cholasta wrote:
Hi,
the attached patches implement automatic CA certificate renewal as well
as the initial version of the CA certificate management tool.
Requires my patches 172-196.
In order to test, you must install current git version of certmonger
(see https://fedorahosted.org/certmonger/ticket/26) and set SELinux to
permissive (see https://bugzilla.redhat.com/show_bug.cgi?id=1078783).
Make sure you install certmonger before running
ipa-server-install/ipa-replica-install. On F20 you can use RPMs located
at http://jcholast.fedorapeople.org/certmonger-git/.
To test automatic renewal, move system time forward (see
https://fedorahosted.org/freeipa/ticket/2803#comment:17 for more info
about certificate renewal testing, nickname of the CA certificate is
caSigningCert cert-pki-ca). In CA-full installs the renewal should be
fully automatic, in CA-less installs you should be alerted via syslog to
renew the certificate using ipa-cacert-manage.
To test manual renewal, run ipa-cacert-manage renew. You can run it on
any CA master. To make the renewed certificate available on other CA
masters, you must run getcert resubmit -d /etc/pki/pki-tomcat/alias -n
'caSigningCert cert-pki-ca' on each of them. Note that currently you
can't change the chaining of the CA certificate.
241
Not to be too anal, but would it be too outlandish to compare the
Authority Key Identifier (if there is one) with the Subject Key ID to
see if the cert is self-signed? Same subject then yeah, it is probably
self-signed. The keys match? Definitely.
242
I wonder if it would be clearer to use variables instead of a raw list
in the return value for these handlers: (result, message) = handler(...)
rather than examining result[0], etc. That may be beyond the scope of
this patch though.
x509.normalize_certificate() can raise an exception, there should be a
try/except around it.
For an invalid cookie, please include the values seen in the environment
in the error message.
243
You are going to end up with a lot of acis with the same comment value.
Perhaps add the host in there as well.
These are not removed when a master is deleted.
244
There are now several different places where the caCertificate value is
updated. I wonder if it's time for a function. I found it it in
dsinstance.py, upload_cacert and now renew_ca_cert.
246
caRenewalMaster should be checked when a replica is deleted and moved to
another master. This is a good idea. I wonder if a ticket should be
opened to do something similar for CRL generation.
247
We've been burned by hardcoded timeouts in the past. Should this be
configurable? This module doesn't currently do any logging but it might
be worth spitting out a waiting message, at least for debugging.
249
nss_init() is always scary to me since we can only have one. I didn't
see anything blow up, just wondering if this should be wrapped with an
is_initialized()-shutdown() at the top.
The find_cert_from_nickname() should be in a try/except in case the cert
is not found for some reason.
251
The tool should provide some feedback while it's running. For the
impatient (me) it takes a really long time and it's hard to know what is
going on, something in between nothing and full debug output.
The man page needs some more work too. I think some more explanation is
needed and an example would probably be really helpful as well. I think
particularly an example for external certs and a description of what you
mean by Self-signed CA (I assume you mean IPA-provided). I don't think
it really matters how many steps there are unless you are going to
provide progress output.
Got a backtrace when running as non-root:
$ ipa-cacert-manage -v renew
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: File
/usr/lib/python2.7/site-packages/ipapython/admintool.py, line 168, in
execute
self.validate_options()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py,
line 62, in validate_options
super(CACertManage, self).validate_options(needs_root=True)
File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line
189, in validate_options
raise ScriptError('Must be root to run %s' % self.command_name, 1)
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The
ipa-cacert-manage command failed, exception: ScriptError: Must be root
to run ipa-cacert-manage
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: Must be
root to run ipa-cacert-manage
252
In what context would this be executing? My guess is that certmonger is
trying to do the renewal but a new cert hasn't been issued yet, so this
gets sysloged?
Still doing functional testing.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
