Re: [Freeipa-devel] weird data interaction
On 07/17/2014 10:31 PM, Rob Crittenden wrote: Saw something very weird today but my setup was also a bit odd so it may not be worthy of a ticket. Need a second opinion. Ok, so I wanted to test Jan's CA patches. They don't apply to current master due to the churn pre-4.0, so I just rewound the world to July 3 and applied them on the master branch. I don't believe the issues I'm seeing are related to his patches in any way. My environment is two masters, F-20, reasonably updated. What DS version are you using? Ok, so I started with them with 3.3.5 installs as I wanted to test upgrades. As a goof I ran the ipatests on one of them to simulate a bunch of work. There were some failures but I didn't pay close attention because testing in a replicated environment is a bit of an unknown (there are some timing issues IIRC). Anyway, so then I updated one of the masters to this pre-4.0 CA-patches build. Then I re-ran the tests. These I took more notice of as about half of them failed. Most of them related to adding users and this is due to the user objectclasses test we have. It can't revert a change: On the 4.0-ish master: # ipa config-mod --delattr ipauserobjectclasses=ipahost ipa: ERROR: change collided with another change There was a DS bug that affected multi-valued attributes, that caused MidairCollisions like this. So this would be my first guess: https://fedorahosted.org/389/ticket/47806 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix typos in dns.py
On 07/16/2014 10:18 PM, Nathaniel McCallum wrote: On Tue, 2014-07-15 at 21:49 -0600, Gabe Alford wrote: Hello, Fixes https://fedorahosted.org/freeipa/ticket/4429 ACK Pushed to master, ipa-4-1, ipa-4-0: 9a0aae013393097de655b7c6d1e584b2c8a0a75b -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0241] trusts: Make cn=adtrust agents sysaccount nestedgroup
On 07/15/2014 03:50 PM, Jan Cholasta wrote: On 15.7.2014 09:57, Tomas Babej wrote: On 07/14/2014 05:00 PM, Jan Cholasta wrote: Hi, On 14.7.2014 11:50, Tomas Babej wrote: Hi, Since recent permissions work references this entry, we need to be able to have memberOf attributes created on this entry. Hence we need to include the nestedgroup objectclass. https://fedorahosted.org/freeipa/ticket/4433 NACK, default will not work for IPA upgrades, you have to use add. Oops, thanks for the catch, fixed. ACK. Pushed to master, ipa-4-1, ipa-4-0: b7a1401e9dd06c1c8b055295087907e33954a889 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable debug pid in smb.conf
On 07/17/2014 01:30 PM, Tomas Babej wrote: On 07/16/2014 05:48 AM, Gabe Alford wrote: Hello, Adds debug pid = yes to smb.conf when ipa-adtrust-install command is run. https://fedorahosted.org/freeipa/ticket/3485 Thanks, Gabe Thanks, ACK. Pushed to master, ipa-4-1: 2afcbff133fbb9659a23633283c455a1851589df -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0002 Improve password validity check
https://fedorahosted.org/freeipa/ticket/2796
--
David Kupka
From c0fb9fe49a8b7eb190414571df211c87ba9c3166 Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Fri, 18 Jul 2014 10:06:55 +0200
Subject: [PATCH] Improve password validity check.
Allow use of characters that no longer cause troubles. Check for
leading and trailing characters in case of 389 Direcory Manager password.
https://fedorahosted.org/freeipa/ticket/2796
---
install/tools/ipa-server-install | 34 --
1 file changed, 32 insertions(+), 2 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 671a226d625ab9e8168c569a6d83c35dfae52115..5b107c3ff3b61f87c30561a1aeed5ab65cf0bf27 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -121,7 +121,37 @@ def validate_dm_password(password):
raise ValueError(Password must only contain ASCII characters)
# Disallow characters that pkisilent doesn't process properly:
-bad_characters = ' \\%'
+bad_characters = '\\'
+if any(c in bad_characters for c in password):
+raise ValueError('Password must not contain these characters: %s' %
+', '.join('%s' % c for c in bad_characters))
+
+# TODO: Check https://fedorahosted.org/389/ticket/47849
+# Actual behavior of setup-ds.pl is that it does not accept white
+# space characters in password when called interactively but does when
+# provided such password in INF file. But it ignores leading and trailing
+# white spaces in INF file.
+
+# Disallow leading spaces (other white spaces are checked before)
+bad_prefix = ' '
+if password.startswith(bad_prefix):
+raise ValueError('Password must not start with %s.' % bad_prefix)
+
+# Disallow trailing spaces (other white spaces are checked before)
+bad_suffix = ' '
+if password.endswith(bad_suffix):
+raise ValueError('Password must not end with %s.' % bad_prefix)
+
+def validate_admin_password(password):
+if len(password) 8:
+raise ValueError(Password must be at least 8 characters long)
+if any(ord(c) 0x20 for c in password):
+raise ValueError(Password must not contain control characters)
+if any(ord(c) = 0x7F for c in password):
+raise ValueError(Password must only contain ASCII characters)
+
+# Disallow characters that pkisilent doesn't process properly:
+bad_characters = '\\'
if any(c in bad_characters for c in password):
raise ValueError('Password must not contain these characters: %s' %
', '.join('%s' % c for c in bad_characters))
@@ -450,7 +480,7 @@ def read_admin_password():
print This user is a regular system account used for IPA server administration.
print
#TODO: provide the option of generating a random password
-admin_password = read_password(IPA admin)
+admin_password = read_password(IPA admin, validator=validate_admin_password)
return admin_password
def check_dirsrv(unattended):
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0003 Test generated passwords composed of all allowed charactes
Test verifying that IPA server is able to install using passwords
composed of all but forbidden characters.
Related to https://fedorahosted.org/freeipa/ticket/2796
--
David Kupka
From e4d1c384288f4b5c5d08f9f3abd9393b3b868c80 Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Fri, 18 Jul 2014 10:15:05 +0200
Subject: [PATCH] Test generated passwords composed of all allowed charactes.
Test ipaserver installation with generated passwords composed of all allowed characters.
---
ipatests/test_password/test_password.py | 93 +
1 file changed, 93 insertions(+)
create mode 100644 ipatests/test_password/test_password.py
diff --git a/ipatests/test_password/test_password.py b/ipatests/test_password/test_password.py
new file mode 100644
index ..eae7cb54b3e49dd90928100288c6af7ba8869087
--- /dev/null
+++ b/ipatests/test_password/test_password.py
@@ -0,0 +1,93 @@
+# Authors:
+# David Kupka dku...@redhat.com
+#
+# Copyright (C) 2014 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see http://www.gnu.org/licenses/.
+import random
+import itertools
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration import tasks
+
+
+class PasswordGenerator(object):
+
+Generate passwords as a permutation of all allowed (ASCII0x20 \ banned)
+characters that succeds in validator.
+
+__test__ = False
+
+def __init__(self, banned='', validator=lambda p: True):
+self.validator = validator
+# use ASCII characters starting with ' '
+# exclude underlying-tool-specific disallowed characters
+self.allowed = list(set([chr(c) for c in range(0x20, 0x7F)]) - set(banned))
+
+def __call__(self):
+pw = self.allowed
+
+while True:
+random.shuffle(pw)
+if self.validator(''.join(pw)):
+return ''.join(pw)
+
+class TestPassword(IntegrationTest):
+
+Test to install ipa-server using passwords composed from all
+allowed characters.
+
+__test__ = True
+
+banned_admin = '\\'
+banned_dirman = '\\'
+
+@staticmethod
+def validator_dirman(pw):
+if pw.startswith(' ') or pw.endswith(' '):
+return False
+else:
+return True
+
+def test_password(self):
+# run 10 tests by default
+tests = 10
+# password generator for admin
+pg_admin = PasswordGenerator(self.banned_admin)
+# password generator for dirman
+pg_dirman = PasswordGenerator(self.banned_dirman, self.validator_dirman)
+
+# backup password
+pw_old_admin = self.master.config.admin_password
+pw_old_dirman = self.master.config.dirman_password
+
+for t in range(0, tests):
+# generate passwords
+pw_admin = pg_admin()
+pw_dirman = pg_dirman()
+# set tested password
+self.master.config.admin_password = pw_admin
+self.master.config.dirman_password = pw_dirman
+
+try:
+# install master on configured server
+tasks.install_master(self.master)
+except Exception, e:
+self.log.error('Failed to install ipa with -a=\'%s\', -p=\'%s\': %s' % (pw_admin, pw_dirman, e))
+# uninstall master
+tasks.uninstall_master(self.master)
+
+#restore password
+self.master.config.admin_password = pw_old_admin
+self.master.config.dirman_password = pw_old_dirman
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0621 test_xmlrpc: Update tests
On 07/08/2014 03:13 PM, Petr Viktorin wrote: Two test fixes for recent permission changes Functionally the patch works fine, permission tests are now error-less. There is just one whitespace error. # git am /home/mkosek/freeipa-pviktori-0621-test_xmlrpc-Update-tests.patch Applying: test_xmlrpc: Update tests /root/freeipa-master/.git/rebase-apply/patch:37: trailing whitespace. u'allow (write) groupdn = ldap:///%s;;)' % warning: 1 line adds whitespace errors. When you fix it, it's an ACK. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0002 Improve password validity check
On 07/18/2014 12:33 PM, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/2796
1) Would it be easier/more convenient to just implement following simple check
instead of bad_prefix/bad_suffix?
if password.strip() != password:
raise ValueError('Password must not start or end with whitespace')
2) The main goal of the ticket 2796 was not fixed yet. It sometimes happen that
when installation crashes somewhere right after pkicreate, it does not record
and and does not uninstall the PKI component during ipa-server-install
--uninstall.
You may artificially invoke some crash in cainstance.py after pkicreate to test
it. When fixing it, check how is_configured() in Service object works an how
self.backup_state is called in other service modules (like dsinstance.py) where
the detection works correctly.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable debug pid in smb.conf
On 18.7.2014 10:11, Petr Viktorin wrote: On 07/17/2014 01:30 PM, Tomas Babej wrote: On 07/16/2014 05:48 AM, Gabe Alford wrote: Hello, Adds debug pid = yes to smb.conf when ipa-adtrust-install command is run. https://fedorahosted.org/freeipa/ticket/3485 Thanks, Gabe Thanks, ACK. Pushed to master, ipa-4-1: 2afcbff133fbb9659a23633283c455a1851589df Isn't it applicable to ipa-4-0 too? I'm just curios :-) -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable debug pid in smb.conf
On 07/18/2014 02:06 PM, Petr Spacek wrote: On 18.7.2014 10:11, Petr Viktorin wrote: On 07/17/2014 01:30 PM, Tomas Babej wrote: On 07/16/2014 05:48 AM, Gabe Alford wrote: Hello, Adds debug pid = yes to smb.conf when ipa-adtrust-install command is run. https://fedorahosted.org/freeipa/ticket/3485 Thanks, Gabe Thanks, ACK. Pushed to master, ipa-4-1: 2afcbff133fbb9659a23633283c455a1851589df Isn't it applicable to ipa-4-0 too? I'm just curios :-) Well, the patch does apply there, of course :) The ticket is marked as RFE, so I didn't put it in the bugfix release. If there's a reason we want it in 4.0.x, let me hear it. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable debug pid in smb.conf
On 18.7.2014 14:19, Petr Viktorin wrote: On 07/18/2014 02:06 PM, Petr Spacek wrote: On 18.7.2014 10:11, Petr Viktorin wrote: On 07/17/2014 01:30 PM, Tomas Babej wrote: On 07/16/2014 05:48 AM, Gabe Alford wrote: Hello, Adds debug pid = yes to smb.conf when ipa-adtrust-install command is run. https://fedorahosted.org/freeipa/ticket/3485 Thanks, Gabe Thanks, ACK. Pushed to master, ipa-4-1: 2afcbff133fbb9659a23633283c455a1851589df Isn't it applicable to ipa-4-0 too? I'm just curios :-) Well, the patch does apply there, of course :) The ticket is marked as RFE, so I didn't put it in the bugfix release. If there's a reason we want it in 4.0.x, let me hear it. IMHO easier debugging for AD trusts sounds like sufficient reason for inclusion to me. The patch is s tiny that I don't see a reasons against including it to 4.0.x. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable debug pid in smb.conf
On 07/18/2014 02:31 PM, Petr Spacek wrote: On 18.7.2014 14:19, Petr Viktorin wrote: On 07/18/2014 02:06 PM, Petr Spacek wrote: On 18.7.2014 10:11, Petr Viktorin wrote: On 07/17/2014 01:30 PM, Tomas Babej wrote: On 07/16/2014 05:48 AM, Gabe Alford wrote: Hello, Adds debug pid = yes to smb.conf when ipa-adtrust-install command is run. https://fedorahosted.org/freeipa/ticket/3485 Thanks, Gabe Thanks, ACK. Pushed to master, ipa-4-1: 2afcbff133fbb9659a23633283c455a1851589df Isn't it applicable to ipa-4-0 too? I'm just curios :-) Well, the patch does apply there, of course :) The ticket is marked as RFE, so I didn't put it in the bugfix release. If there's a reason we want it in 4.0.x, let me hear it. IMHO easier debugging for AD trusts sounds like sufficient reason for inclusion to me. The patch is s tiny that I don't see a reasons against including it to 4.0.x. OK, I now see it's a tiny patch with also a tiny effect. (I don't read understand every patch that I push :) Pushed to ipa-4-0: 2afcbff133fbb9659a23633283c455a1851589df -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0621 test_xmlrpc: Update tests
On 07/18/2014 12:41 PM, Martin Kosek wrote: On 07/08/2014 03:13 PM, Petr Viktorin wrote: Two test fixes for recent permission changes Functionally the patch works fine, permission tests are now error-less. There is just one whitespace error. # git am /home/mkosek/freeipa-pviktori-0621-test_xmlrpc-Update-tests.patch Applying: test_xmlrpc: Update tests /root/freeipa-master/.git/rebase-apply/patch:37: trailing whitespace. u'allow (write) groupdn = ldap:///%s;;)' % warning: 1 line adds whitespace errors. When you fix it, it's an ACK. Thanks! Fixed pushed to master, ipa-4-0, ipa-4-1: cd4fd60c0ef7026964aff971346720e9fd60d148 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable debug pid in smb.conf
On 07/18/2014 02:42 PM, Petr Viktorin wrote: On 07/18/2014 02:31 PM, Petr Spacek wrote: On 18.7.2014 14:19, Petr Viktorin wrote: On 07/18/2014 02:06 PM, Petr Spacek wrote: On 18.7.2014 10:11, Petr Viktorin wrote: On 07/17/2014 01:30 PM, Tomas Babej wrote: On 07/16/2014 05:48 AM, Gabe Alford wrote: Hello, Adds debug pid = yes to smb.conf when ipa-adtrust-install command is run. https://fedorahosted.org/freeipa/ticket/3485 Thanks, Gabe Thanks, ACK. Pushed to master, ipa-4-1: 2afcbff133fbb9659a23633283c455a1851589df Isn't it applicable to ipa-4-0 too? I'm just curios :-) Well, the patch does apply there, of course :) The ticket is marked as RFE, so I didn't put it in the bugfix release. If there's a reason we want it in 4.0.x, let me hear it. IMHO easier debugging for AD trusts sounds like sufficient reason for inclusion to me. The patch is s tiny that I don't see a reasons against including it to 4.0.x. OK, I now see it's a tiny patch with also a tiny effect. (I don't read understand every patch that I push :) Pushed to ipa-4-0: 2afcbff133fbb9659a23633283c455a1851589df Note that tiny patch does not necessarily equal tiny effect :-) http://en.wikipedia.org/wiki/Butterfly_effect Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] weird data interaction
Petr Viktorin wrote: On 07/17/2014 10:31 PM, Rob Crittenden wrote: Saw something very weird today but my setup was also a bit odd so it may not be worthy of a ticket. Need a second opinion. Ok, so I wanted to test Jan's CA patches. They don't apply to current master due to the churn pre-4.0, so I just rewound the world to July 3 and applied them on the master branch. I don't believe the issues I'm seeing are related to his patches in any way. My environment is two masters, F-20, reasonably updated. What DS version are you using? Ok, so I started with them with 3.3.5 installs as I wanted to test upgrades. As a goof I ran the ipatests on one of them to simulate a bunch of work. There were some failures but I didn't pay close attention because testing in a replicated environment is a bit of an unknown (there are some timing issues IIRC). Anyway, so then I updated one of the masters to this pre-4.0 CA-patches build. Then I re-ran the tests. These I took more notice of as about half of them failed. Most of them related to adding users and this is due to the user objectclasses test we have. It can't revert a change: On the 4.0-ish master: # ipa config-mod --delattr ipauserobjectclasses=ipahost ipa: ERROR: change collided with another change There was a DS bug that affected multi-valued attributes, that caused MidairCollisions like this. So this would be my first guess: https://fedorahosted.org/389/ticket/47806 I'm running 389-ds-base-1.3.2.16-1 Yeah, I see your point. I guess I'll wait for a fix. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] weird data interaction
On 07/18/2014 03:50 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 07/17/2014 10:31 PM, Rob Crittenden wrote: Saw something very weird today but my setup was also a bit odd so it may not be worthy of a ticket. Need a second opinion. Ok, so I wanted to test Jan's CA patches. They don't apply to current master due to the churn pre-4.0, so I just rewound the world to July 3 and applied them on the master branch. I don't believe the issues I'm seeing are related to his patches in any way. My environment is two masters, F-20, reasonably updated. What DS version are you using? Ok, so I started with them with 3.3.5 installs as I wanted to test upgrades. As a goof I ran the ipatests on one of them to simulate a bunch of work. There were some failures but I didn't pay close attention because testing in a replicated environment is a bit of an unknown (there are some timing issues IIRC). Anyway, so then I updated one of the masters to this pre-4.0 CA-patches build. Then I re-ran the tests. These I took more notice of as about half of them failed. Most of them related to adding users and this is due to the user objectclasses test we have. It can't revert a change: On the 4.0-ish master: # ipa config-mod --delattr ipauserobjectclasses=ipahost ipa: ERROR: change collided with another change There was a DS bug that affected multi-valued attributes, that caused MidairCollisions like this. So this would be my first guess: https://fedorahosted.org/389/ticket/47806 I'm running 389-ds-base-1.3.2.16-1 Yeah, I see your point. I guess I'll wait for a fix. that should be fixed in 1.3.2.19 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [RFC] Migrating existing environments to Trust - v3
Hi, I have updated http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust with the comments from the latest round. The changes can be see at http://www.freeipa.org/index.php?title=V4%2FMigrating_existing_environments_to_Trustdiff=8696oldid=8181 I think most aspects are clear now. I think only one decision is needed about how to manage the assignment of a host to a view. In the original draft host groups were used to connect hosts to views. There is only the drawback that a host can only have one view but can belong to multiple host groups. So chances are that when we follow the host-group memberships of a single host to the views we end with two or even more views. To get around this Alexander suggested to add a new single-value LDAP attribute to the host objects which holds the DN of a view. With this all ambiguity is gone. The drawback here is that now at least in the WebUI each host which should not see the default view must be added individually to a view. (On the command line for-loops from the shell can be used). I would prefer Alexander's suggestion. Because although on the first look the host-group approach sounds more comfortable from the management point of view I think the difference is not that large when looking a bit more into the details. It was already recommended to not use host-groups already used for other purposes like HBAC or sudo for views management to avoid unexpected changes of POSIX IDs when those groups are modified for other purposes. For the host-groups which are exclusively used for view management we can add DS plugin which make sure that a host is always only a member of one of such groups to avoid ambiguity. Initially adding hosts to a host-groups is a bit easier due to the host-group add-dialog of the WebUI but later on each new host which should not have the default view has to be added to the related host group as well. It might be even a bit more effort than with Alexander's suggestion because a host cannot be added to a group when it is created, so a host has to be created first and then can be added to a group. As a summary I think there are no real benefits using host-groups for management compared to assigning the view directly to the host. Other opinions, comments and suggestions are welcome. bye, Sumit ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] - Add DRM to IPA
Ade Lee wrote:
Hi all,
I have rebased all the previous patches against master, and have squashed
them all into a single patch.
Its a large patch, but as many folks have already reviewed the constituent
precursor patches, most if it
should be familiar and easier to review.
The main difference with what was specified before is that the DRM database
is installed as a subtree
to o=ipaca. This means that no new replication agreements will be needed to
replicate DRM data.
Replication agreements set up for the Dogtag CA will automatically replicate
DRM data.
In order for this patch to work, a new 10.2 build of Dogtag 10.2 is needed -
with specific changes to
allow the ability to install a database as a subtree of an existing tree. At
this time, these
changes have not yet been checked into the dogtag source. You can obtain
such a build from:
http://copr.fedoraproject.org/coprs/vakwetu/dogtag/build/21936/
Please review,
The BuildRequires needs to be updated to avoid a bunch of lint errors:
./make-lint
* Module ipaserver.plugins.dogtag
ipaserver/plugins/dogtag.py:249: [E0611(no-name-in-module), ] No name
'crypto' in module 'pki')
ipaserver/plugins/dogtag.py:250: [E0611(no-name-in-module), ] No name
'key' in module 'pki')
ipaserver/plugins/dogtag.py:251: [E0611(no-name-in-module), ] No name
'kra' in module 'pki')
ipaserver/plugins/dogtag.py:1952: [E1101(no-member), drm._setup]
Instance of 'PKIConnection' has no 'set_authentication_cert' member)
ipaserver/plugins/dogtag.py:1963: [E1101(no-member), drm._setup] Module
'pki' has no 'CERT_HEADER' member)
ipaserver/plugins/dogtag.py:1964: [E1101(no-member), drm._setup] Module
'pki' has no 'CERT_FOOTER' member)
* Module ipaserver.install.dogtaginstance
ipaserver/install/dogtaginstance.py:71: [E1101(no-member),
get_security_domain] Instance of 'SecurityDomainClient' has no
'get_security_domain_info' member)
I forget what back and forth we had on DRM vs no DRM by default, but is
it right to have no option at all to add one at install time, ala DNS?
My first install failed:
Jul 18 15:38:36 ipa.example.com pkidaemon[16516]: ln: failed to create
symbolic link ‘/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.bak’: Permission
denied
Jul 18 15:38:36 ipa.example.com pkidaemon[16516]: SUCCESS: Successfully
archived
'/var/lib/pki/pki-tomcat/conf/ca/archives/CS.cfg.bak.20140718153836'
Jul 18 15:38:36 ipa.example.com pkidaemon[16516]: WARNING: Failed to
backup '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg' to
'/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.bak'!
Jul 18 15:38:36 ipa.example.com pkidaemon[16516]:
/usr/share/pki/scripts/operations: line 1579: 0: command not found
Jul 18 15:38:36 ipa.example.com systemd[1]:
pki-tomcatd@pki-tomcat.service: control process exited, code=exited status=1
Jul 18 15:38:36 ipa.example.com systemd[1]: Failed to start PKI Tomcat
Server pki-tomcat.
This is due to SELinux issues:
type=AVC msg=audit(1405712316.049:1656): avc: denied { setfscreate }
for pid=16702 comm=cp scontext=system_u:system_r:pki_tomcat_t:s0
tcontext=system_u:system_r:pki_tomcat_t:s0 tclass=process
type=AVC msg=audit(1405712316.049:1657): avc: denied { relabelfrom }
for pid=16702 comm=cp name=CS.cfg.bak.20140718153836 dev=dm-0
ino=431097 scontext=system_u:system_r:pki_tomcat_t:s0
tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=AVC msg=audit(1405712316.050:1658): avc: denied { create } for
pid=16703 comm=ln name=CS.cfg.bak
scontext=system_u:system_r:pki_tomcat_t:s0
tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=lnk_file
I put it into permissive and continued.
The installer still references backing up /root/drmcert.p12 but it isn't
created by default.
The estimate for configuring the DRM seems off. On my VM it took 126
seconds, not 210. Mileage may vary but since my box was the source for
all the other timings :-)
On the plus side the DRM seems to work. I used the ca-agent cert and was
able to follow the steps at
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Testing_the_Key_Archival_and_Recovery_Setup.html
to issue and recover a key.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
