Re: [Freeipa-devel] [PATCH] 315 Convert external CA chain to PKCS#7 before passing it to pkispawn
On 08/08/2014 10:55 AM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4397. Honza Thanks! I did not test, just have couple questions/suggestions: 1) Are we testing that the certificate is in proper format, e.g. is not PKCS7 already? We need to error out properly then 2) Are ipa-server-install --help options as informative as possible? --external-ca installation is tricky, we need to make sure that is no doubt about what the input is. 3) We may want to add instructions how to convert PKCS#7 - PEM to man ipa-server-install too. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 315 Convert external CA chain to PKCS#7 before passing it to pkispawn
Dne 8.8.2014 v 11:20 Martin Kosek napsal(a): On 08/08/2014 10:55 AM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4397. Honza Thanks! I did not test, just have couple questions/suggestions: 1) Are we testing that the certificate is in proper format, e.g. is not PKCS7 already? We need to error out properly then Yes, in ipa-server-install. 2) Are ipa-server-install --help options as informative as possible? --external-ca installation is tricky, we need to make sure that is no doubt about what the input is. I amended them a little bit. 3) We may want to add instructions how to convert PKCS#7 - PEM to man ipa-server-install too. Added. Martin Updated patch attached. -- Jan Cholasta From f82f8985ecfe1ab408c1db728a8fa9fbcc838276 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Fri, 8 Aug 2014 10:15:26 +0200 Subject: [PATCH] Convert external CA chain to PKCS#7 before passing it to pkispawn. https://fedorahosted.org/freeipa/ticket/4397 --- install/tools/ipa-server-install | 6 +++--- install/tools/man/ipa-server-install.1 | 10 +++--- ipaserver/install/cainstance.py| 13 - 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 1f158a4..393c52d 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -179,11 +179,11 @@ def parse_options(): cert_group = OptionGroup(parser, certificate system options) cert_group.add_option(, --external-ca, dest=external_ca, action=store_true, - default=False, help=Generate a CSR to be signed by an external CA) + default=False, help=Generate a CSR for the IPA CA certificate to be signed by an external CA) cert_group.add_option(, --external_cert_file, dest=external_cert_file, - help=PEM file containing a certificate signed by the external CA) + help=File containing the IPA CA certificate signed by the external CA in PEM format) cert_group.add_option(, --external_ca_file, dest=external_ca_file, - help=PEM file containing the external CA chain) + help=File containing the external CA certificate chain in PEM format) cert_group.add_option(--no-pkinit, dest=setup_pkinit, action=store_false, default=True, help=disables pkinit setup steps) cert_group.add_option(--dirsrv_pkcs12, dest=dirsrv_pkcs12, diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 4adf1d0..d713d2d 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -85,13 +85,17 @@ An unattended installation that will never prompt for user input .SS CERTIFICATE SYSTEM OPTIONS .TP \fB\-\-external\-ca\fR -Generate a CSR to be signed by an external CA +Generate a CSR for the IPA CA certificate to be signed by an external CA. .TP \fB\-\-external_cert_file\fR=\fIFILE\fR -PEM file containing a certificate signed by the external CA. Must be given with \-\-external_ca_file. +File containing the IPA CA certificate signed by the external CA in PEM format. Must be given with \-\-external_ca_file. .TP \fB\-\-external_ca_file\fR=\fIFILE\fR -PEM file containing the external CA chain +File containing the external CA certificate chain in PEM format. Must be given with \-\-external_cert_file. + +If the CA certificate chain is in PKCS#7 format you can convert it to PEM using: + +openssl pkcs7 -in PKCS7_FILE -print_certs -out PEM_FILE .TP \fB\-\-no\-pkinit\fR Disables pkinit setup steps diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 03aec95..3d0895a 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -583,9 +583,20 @@ class CAInstance(service.Service): config.set(CA, pki_external_csr_path, self.csr_file) elif self.external == 2: +cert_chain, stderr, rc = ipautil.run( +[paths.OPENSSL, 'crl2pkcs7', + '-certfile', self.cert_chain_file, + '-nocrl']) +# Dogtag chokes on the header and footer, remove them +# https://bugzilla.redhat.com/show_bug.cgi?id=1127838 +cert_chain = re.search( +r'(?=-BEGIN PKCS7-).*?(?=-END PKCS7-)', +cert_chain, re.DOTALL).group(0) +cert_chain_file = ipautil.write_tmp_file(cert_chain) + config.set(CA, pki_external, True) config.set(CA, pki_external_ca_cert_path, self.cert_file) -config.set(CA, pki_external_ca_cert_chain_path, self.cert_chain_file) +config.set(CA, pki_external_ca_cert_chain_path, cert_chain_file.name) config.set(CA, pki_external_step_two, True) # Generate configuration file -- 1.9.3
[Freeipa-devel] [PATCH] 0003 User life cycle: new stageuser plugin with add verb
Hi, The attached patch is related to 'User Life Cycle' (https://fedorahosted.org/freeipa/ticket/3813) It creates a stageuser plugin with a first function stageuser-add. Stage user entries are provisioned under 'cn=staged users,cn=accounts,cn=provisioning,SUFFIX'. Thanks thierry From 778f6409f5e41c38167545a7e01f9c2026f71b6a Mon Sep 17 00:00:00 2001 From: root r...@vm-061.idm.lab.bos.redhat.com Date: Fri, 8 Aug 2014 08:35:25 -0400 Subject: [PATCH] User life cycle: new stageuser plugin with add verb Bug Description: Add the stageuser plugin, with support of stageuser-add verb. Reviewed by: ? Platforms tested: F20 Doc impact: yes https://fedorahosted.org/freeipa/ticket/3813 --- API.txt | 49 +++ ipalib/constants.py | 2 + ipalib/plugins/stageuser.py | 848 3 files changed, 899 insertions(+) create mode 100644 ipalib/plugins/stageuser.py diff --git a/API.txt b/API.txt index d731881eea39fb0ed2210d1a6b04739f6cd7f29b..38aa3878ead2043137931a46e37e31b82158e303 100644 --- a/API.txt +++ b/API.txt @@ -3306,6 +3306,55 @@ command: sidgen_was_run args: 0,1,1 option: Str('version?', exclude='webui') output: Output('result', None, None) +command: stageuser_add +args: 1,43,3 +arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) +option: Str('addattr*', cli_name='addattr', exclude='webui') +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('carlicense', attribute=True, cli_name='carlicense', multivalue=True, required=False) +option: Str('cn', attribute=True, autofill=True, cli_name='cn', multivalue=False, required=True) +option: Str('departmentnumber', attribute=True, cli_name='departmentnumber', multivalue=True, required=False) +option: Str('displayname', attribute=True, autofill=True, cli_name='displayname', multivalue=False, required=False) +option: Str('employeenumber', attribute=True, cli_name='employeenumber', multivalue=False, required=False) +option: Str('employeetype', attribute=True, cli_name='employeetype', multivalue=False, required=False) +option: Str('facsimiletelephonenumber', attribute=True, cli_name='fax', multivalue=True, required=False) +option: Flag('from_delete?', autofill=True, cli_name='from_delete', default=False) +option: Str('gecos', attribute=True, autofill=True, cli_name='gecos', multivalue=False, required=False) +option: Int('gidnumber', attribute=True, cli_name='gidnumber', minvalue=1, multivalue=False, required=False) +option: Str('givenname', attribute=True, cli_name='first', multivalue=False, required=True) +option: Str('homedirectory', attribute=True, cli_name='homedir', multivalue=False, required=False) +option: Str('initials', attribute=True, autofill=True, cli_name='initials', multivalue=False, required=False) +option: Str('ipasshpubkey', attribute=True, cli_name='sshpubkey', csv=True, multivalue=True, required=False) +option: Str('ipatokenradiusconfiglink', attribute=True, cli_name='radius', multivalue=False, required=False) +option: Str('ipatokenradiususername', attribute=True, cli_name='radius_username', multivalue=False, required=False) +option: StrEnum('ipauserauthtype', attribute=True, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius', u'otp')) +option: DateTime('krbprincipalexpiration', attribute=True, cli_name='principal_expiration', multivalue=False, required=False) +option: Str('krbprincipalname', attribute=True, autofill=True, cli_name='principal', multivalue=False, required=False) +option: Str('l', attribute=True, cli_name='city', multivalue=False, required=False) +option: Str('loginshell', attribute=True, cli_name='shell', multivalue=False, required=False) +option: Str('mail', attribute=True, cli_name='email', multivalue=True, required=False) +option: Str('manager', attribute=True, cli_name='manager', multivalue=False, required=False) +option: Str('mobile', attribute=True, cli_name='mobile', multivalue=True, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Str('ou', attribute=True, cli_name='orgunit', multivalue=False, required=False) +option: Str('pager', attribute=True, cli_name='pager', multivalue=True, required=False) +option: Str('postalcode', attribute=True, cli_name='postalcode', multivalue=False, required=False) +option: Str('preferredlanguage', attribute=True, cli_name='preferredlanguage', multivalue=False, pattern='^(([a-zA-Z]{1,8}(-[a-zA-Z]{1,8})?(;q\\=((0(\\.[0-9]{0,3})?)|(1(\\.0{0,3})?)))?(\\s*,\\s*[a-zA-Z]{1,8}(-[a-zA-Z]{1,8})?(;q\\=((0(\\.[0-9]{0,3})?)|(1(\\.0{0,3})?)))?)*)|(\\*))$', required=False) +option: Flag('random', attribute=False, autofill=True, cli_name='random', default=False, multivalue=False, required=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False,
Re: [Freeipa-devel] [PATCH] - Add DRM to IPA
Ade Lee wrote: Attached is a new patch. I believe I have addressed all the issues raided by pviktori, edewata and rcrit. Please let me know if I missed something! Incidentally, to get all this to work, you should use the latest Dogtag 10.2 build, which also contains a fix for pkidestroy that is not yet merged in. A COPR build is currently underway at: http://copr.fedoraproject.org/coprs/vakwetu/dogtag/build/24804/ Some whitespace issues: Applying: Add a DRM to IPA /home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3774: trailing whitespace. This relies on the DRM client to generate a wrapping key /home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3292: new blank line at EOF. + warning: 2 lines add whitespace errors. lying: Add a DRM to IPA /home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3774: trailing whitespace. This relies on the DRM client to generate a wrapping key /home/rcrit/redhat/freeipa/.git/rebase-apply/patch:3292: new blank line at EOF. + warning: 2 lines add whitespace errors. I do hope you're planning on adding a minimum build dep at some point? Still seeing AVCs during install: time-Fri Aug 8 19:13:35 2014 type=SYSCALL msg=audit(1407539615.743:1503): arch=c03e syscall=1 success=no exit=-13 a0=3 a1=210cb30 a2=2d a3=7fff1caa83f0 items=0 ppid=12121 pid=12307 auid=4294967295 uid=994 gid=993 euid=994 suid=994 fsuid=994 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=cp exe=/usr/bin/cp subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1407539615.743:1503): avc: denied { setfscreate } for pid=12307 comm=cp scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:system_r:pki_tomcat_t:s0 tclass=process time-Fri Aug 8 19:13:35 2014 type=SYSCALL msg=audit(1407539615.743:1504): arch=c03e syscall=190 success=no exit=-13 a0=4 a1=7fff1caa8590 a2=210c8f0 a3=2d items=0 ppid=12121 pid=12307 auid=4294967295 uid=994 gid=993 euid=994 suid=994 fsuid=994 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=cp exe=/usr/bin/cp subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1407539615.743:1504): avc: denied { relabelfrom } for pid=12307 comm=cp name=CS.cfg.bak.20140808191335 dev=dm-0 ino=430828 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file time-Fri Aug 8 19:13:35 2014 type=SYSCALL msg=audit(1407539615.744:1505): arch=c03e syscall=88 success=no exit=-13 a0=7fffd3c0daa7 a1=7fffd3c0daea a2=0 a3=7fffd3c0b9b0 items=0 ppid=12121 pid=12308 auid=4294967295 uid=994 gid=993 euid=994 suid=994 fsuid=994 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=ln exe=/usr/bin/ln subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1407539615.744:1505): avc: denied { create } for pid=12308 comm=ln name=CS.cfg.bak scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=lnk_file The new estimated time was dead on :-) There was a fairly long wait after Done configuring DRM server (pki-tomcatd). and the install was done. I thought we always displayed text when restarting (e.g. handled by the service wrapper) but I guess not. It would be nice to know what is going on. Re-running ipa-drm-install results in a scary error: ]# ipa-drm-install Usage: ipa-drm-install [options] [replica_file] ipa-drm-install: error: DRM is already installed. Your system may be partly configured. Run /usr/sbin/ipa_drm_install.py --uninstall to clean up. And now onto the code... class drm _create_pem_file isnt' exactly descriptive and there is no method documentation. _setup. Just a nit: do you want to hardcode the port? I think I'd prefer it come via the constructor and default to 443. It may be worth beefing up the return value docs ala what John did in the dogtag section. I notice, for example, you always return a tuple and one value as None in store_secret. I assume there is a reason for that but it isn't obvious. This happens elsewhere too. Should the copyright dates on existing files be changed? I don't think they should be, but I'm hardly an expert. I just did a cursory look-see in the code and things generally looked ok. I'm hoping Petr^3 will take a closer look. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel