Re: [Freeipa-devel] [PATCH] 315 Convert external CA chain to PKCS#7 before passing it to pkispawn
On 08/13/2014 03:57 PM, Martin Kosek wrote: On 08/13/2014 03:12 PM, Petr Viktorin wrote: [...] This works for me, but I'm not sure if I'm correctly reproducing the specific scenario this patch fixes. So as always, can you please add tests for code you write? +1! As far as other scenarios, it seems to me that when I do something wrong I get a very unhelpful error message late in the installation. I tried signing the request using xca but pkispawn choked on the result; I'll try to write a reproducer script using command-line tools. Attached is a script (based on the external ca integration test) that reproduces the same IndexError as mentioned in the ticket. (If necessary, adjust the IP addresses, hostnames, etc. to fit your environment.) The difference from a working script is that extensions aren't added to the IPA cert when it's signed. This is a very good finding. If Jan's patch fixes the reported problem, let us push it. Pushed to: master: 359dfe58b94079e1e16f4fb8960eb29b251f2cbc ipa-4-1: 359dfe58b94079e1e16f4fb8960eb29b251f2cbc ipa-4-0: 7c03ef0e727ca44ce1228e9896079a1d02227e14 But the missing validation should be fixed too. Can you please extend https://fedorahosted.org/freeipa/ticket/4480 that is (will be) planned for 4.1 and attach your script as well so that we can improve the usability by both accepting more certificate types and validation? Comment added. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0001 User Life Cycle: create containers and scoping DS plugins
On 08/13/2014 05:34 PM, Petr Viktorin wrote: On 08/13/2014 05:17 PM, thierry bordaz wrote: ... Patch submission technicalities: Please don't add the Reviewed by tag to the commit message, it's added when pushing. The other tags are not used FreeIPA. (What's a Flag Day?) When you send more patches that depend on each other, either attach them all to one e-mail, or explicitly say what each patch depends on. That is correct I used a review template that was for 389-ds and I will change it. 'Flag Day' was part of 389-DS template, it was a flag to inform if the fix had a wide impact (things needing to be ported/recompile). I split ULC fix into several logical sub fixes and you are right they are all related even if for example 0002 does not depend on 0001. Do you want I resend patch 0003 with the statement it relies on 0001 (and with the correct commit message ?). These guidelines just make it easier for us to handle the large numbers of patches that land on the list. Try to follow them next time you send a patch (or revision), but there's no need to resubmit things just to comply. We can change the message when pushing if the patch contents are acked. +1. The page describing our submission rules are described on this page: http://www.freeipa.org/page/Contribute/Code and this sub-page: http://www.freeipa.org/page/Contribute/Patch_Format including a patch description example. HTH, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] - Add DRM to IPA
On 08/13/2014 09:54 PM, Ade Lee wrote: In Dogtag, we have decided to revert the name of the DRM to the old name KRA. DRM was really only used in docs/marketing, whereas KRA is all over the code. Soon, the code and the marketing/docs will match. The following patch changes all references to the DRM to KRA. so for example, you need to run ipa-kra-install etc. Please apply this on top of the previous patch. I'll go ahead and squash them before commit. Thanks, Ade Ah, thanks for unifying that one. I changed DRM component in FreeIPA Trac to KRA and assigned respective tickets to that. Let us use the KRA term for the Vault then. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] - Add DRM to IPA
On 08/14/2014 10:53 AM, Martin Kosek wrote: On 08/13/2014 09:54 PM, Ade Lee wrote: In Dogtag, we have decided to revert the name of the DRM to the old name KRA. DRM was really only used in docs/marketing, whereas KRA is all over the code. Soon, the code and the marketing/docs will match. The following patch changes all references to the DRM to KRA. so for example, you need to run ipa-kra-install etc. Please apply this on top of the previous patch. I'll go ahead and squash them before commit. Thanks, Ade Ah, thanks for unifying that one. I changed DRM component in FreeIPA Trac to KRA and assigned respective tickets to that. Let us use the KRA term for the Vault then. Martin ipa_drm_install.py: No newline at end of file ipa_drm_install.DRMInstaller.FAIL_MESSAGE: the command is ipa-drm-install (with hyphens) The error I got previously was when running ipa-kra-install on a replica that didn't have CA yet. It would be nice to provide a better message for this case. On a replica with KRA, I get: $ sudo ipa-kra-install --uninstall Usage: ipa-kra-install [options] [replica_file] ipa-kra-install: error: Cannot uninstall. There is no KRA installed on this system. I tested the kra plugin with this Python script: from ipalib import api api.bootstrap(context='server', kra_host='localhost') api.finalize() api.Backend.kra.store_secret('test', 'tkey') which gives me: Traceback (most recent call last): File stdin, line 1, in module File ipaserver/plugins/dogtag.py, line 2012, in store_secret self._setup() File ipaserver/plugins/dogtag.py, line 1965, in _setup connection = PKIConnection('https', self.kra_host, self.kra_port, 'kra') File /usr/lib/python2.7/site-packages/pki/client.py, line 36, in __init__ self.hostname + ':' + self.port + '/' + \ TypeError: coercing to Unicode: need string or buffer, int found Apparently, PKIConnection requires the port to be a string, but we pass an int. I'd consider this an issue in pki. The kra_host='localhost' option to api.bootstrap is necessary because kra_host is not added to default.conf on install. How is this planned to work when the plugin is done? -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [Patch] 0001-2 User Life Cycle: create containers and scoping DS plugins
Hello, Following Petr remarks from the previous review, I modified the original fix to move it only in '.update' files. Thanks thierry From d45e78dfeb7761348c464b3bb3956656bb115ce0 Mon Sep 17 00:00:00 2001 From: Thierry bordaz (tbordaz) tbor...@redhat.com Date: Thu, 7 Aug 2014 16:29:02 +0200 Subject: [PATCH] User Life Cycle: create containers and scoping DS plugins User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging containers needs to be created. Active: cn=users,cn=accounts,$SUFFIX Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX Stage: cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX Plugins scopes: krbPrincipalName, krbCanonicalName, ipaUniqueID, uid: cn=accounts,SUFFIX cn=deleted users,cn=accounts,cn=provisioning,SUFFIX DNA: cn=accounts,SUFFIX Plugins exclude subtree: IPA UUID, Referential Integrity, memberOf: cn=provisioning,SUFFIX Reviewed-By: Petr Viktorin pvikt...@redhat.com https://fedorahosted.org/freeipa/ticket/3813 --- install/updates/10-uniqueness.update | 27 +++ install/updates/20-dna.update | 4 +++- install/updates/20-syncrepl.update | 6 ++ install/updates/30-provisioning.update | 22 ++ install/updates/Makefile.am| 1 + 5 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 install/updates/30-provisioning.update diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update index a336d3480866f74b82b35280e6ed788f1abb992f..fd715f8a15130efae89287d50d779d3867560f7e 100644 --- a/install/updates/10-uniqueness.update +++ b/install/updates/10-uniqueness.update @@ -48,3 +48,30 @@ default:nsslapd-plugin-depends-on-type: database default:nsslapd-pluginId: NSUniqueAttr default:nsslapd-pluginVersion: 1.1.0 default:nsslapd-pluginVendor: Fedora Project + +# uid uniqueness scopes Active/Delete containers +dn: cn=attribute uniqueness,cn=plugins,cn=config +remove:nsslapd-pluginarg1:'$SUFFIX' +add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX' +add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' +remove:nsslapd-pluginenabled:off +add:nsslapd-pluginenabled:on + +# krbPrincipalName uniqueness scopes Active/Delete containers +dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config +remove:nsslapd-pluginarg1:'$SUFFIX' +add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX' +add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' + +# krbCanonicalName uniqueness scopes Active/Delete containers +dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config +remove:nsslapd-pluginarg1:'$SUFFIX' +add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX' +add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' + +# ipaUniqueID uniqueness scopes Active/Delete containers +dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config +remove:nsslapd-pluginarg1:'$SUFFIX' +add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX' +add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' + diff --git a/install/updates/20-dna.update b/install/updates/20-dna.update index 04047dd12787e589953e4f938a03d868de3ae93e..719195e9214ac293a3729f389504f39b46cd1aa2 100644 --- a/install/updates/20-dna.update +++ b/install/updates/20-dna.update @@ -2,9 +2,11 @@ dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config only:nsslapd-pluginEnabled: on -# Change the magic value to -1 +# Change the magic value to -1 and restrict DNA to active accounts dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config only:dnaMagicRegen: -1 +remove:dnaScope: '$SUFFIX' +add:dnaScope: 'cn=accounts,$SUFFIX' dn: cn=ipa-winsync,cn=plugins,cn=config remove:ipaWinSyncUserAttr: uidNumber 999 diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update index e1184bf48285fb216dfb0c82e5e97bb8cc35539c..7a26f7b6883142116aa8947a5e8eb05cfc718439 100644 --- a/install/updates/20-syncrepl.update +++ b/install/updates/20-syncrepl.update @@ -10,11 +10,17 @@ add:nsslapd-changelogmaxage: 2d # indices for cn=changelog. dn: cn=MemberOf Plugin,cn=plugins,cn=config add:memberofentryscope: '$SUFFIX' +add:memberofentryscopeexcludesubtree: 'cn=provisioning,$SUFFIX' dn: cn=referential integrity postoperation,cn=plugins,cn=config add:nsslapd-plugincontainerscope: '$SUFFIX' add:nsslapd-pluginentryscope: '$SUFFIX' +add:nsslapd-pluginExcludeEntryScope: 'cn=provisioning,$SUFFIX' # Enable SyncRepl dn: cn=Content Synchronization,cn=plugins,cn=config only:nsslapd-pluginEnabled: on + +# Make sure IPA UUID does not generate ipaUniqueID for Stage/Delete entries +dn: cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=config +add:ipaUuidExcludeSubtree: 'cn=provisioning,$SUFFIX' diff --git a/install/updates/30-provisioning.update b/install/updates/30-provisioning.update new file mode 100644