Re: [Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
On 10/22/2014 07:39 PM, Tomas Babej wrote: Hi, thank you for the patches, comments inline. On 10/15/2014 02:20 PM, Petr Vobornik wrote: ticket: https://fedorahosted.org/freeipa/ticket/4221 == [PATCH] 773 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type == We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID - UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense. Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type. We probably don't want to display the first RID if it is 0 and the type is ad-posix. This occurs in idrange-find: [tbabej@vm-043 labtool]$ ipa idrange-find 2 ranges matched Range name: DOM043.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 51480 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 1 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 Range type: Active Directory trust range with POSIX attributes Number of entries returned 2 And also idrange-show: [tbabej@vm-043 labtool]$ ipa idrange-show TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 1 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 Range type: Active Directory trust range with POSIX attributes No schema change is done. == [PATCH] 774 unittests: baserid for ipa-ad-trust-posix idranges == Looks good. == [PATCH] 775 ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges == Can you use the paged_search=True in find_entries instead of having a infinite loop? It would make this code quite cleaner. I also saw you did not update Makefile.am. New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix https://fedorahosted.org/freeipa/ticket/4221 == [PATCH] 776 idrange: include raw range type in output == iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers Solved by new iparangetyperaw output attribute which contains iparangetype's raw value Note: I don't like this approach. It would be better to return just the raw value a do the transformation in clients. But we do have a precedent: http://www.redhat.com/archives/freeipa-devel/2012-January/msg00190.html I am not happy about it either.. I guess we could create a capability for this, but it would probably be a overkill. == [PATCH] 777 webui: prohibit setting rid base with ipa-trust-ad-posix type == Base RID is no longer editable for ipa-trust-ad-posix range type Adder dialog: - Range type selector was moved up because it affects a field above it Details page: - Only fields relevant to range's type are visible Looks fine. On a related note, I added a new ticket https://fedorahosted.org/freeipa/ticket/4661 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 352 Fixed KRA backend.
On 10/22/2014 04:34 PM, Endi Sukma Dewata wrote: On 10/15/2014 10:59 PM, Endi Sukma Dewata wrote: The KRA backend has been simplified since most of the tasks have been moved somewhere else. The transport certificate will be installed on the client, and it is not needed by KRA backend. The KRA agent's PEM certificate is now generated during installation due to permission issue. The kra_host() for now is removed since the current ldap_enable() cannot register the KRA service, so it is using the kra_host environment variable. The KRA installer has been modified to use Dogtag's CLI go create KRA agent and setup the client authentication. The proxy settings have been updated to include KRA's URLs. The certs.install_pem_from_p12() has been updated to generate the proper client certificate using the -clcerts option and also take a password file. Some constants have been renamed for clarity. The DOGTAG_AGENT_P12 has been renamed to DOGTAG_ADMIN_P12 since file actually contains the Dogtag admin's certificate and private key and it can be used to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed to KRA_AGENT_PEM since it can only be used for KRA. Ticket #3872 New patch attached. It's identical to the previous one except I changed the ticket number to #4503. In IPA we usually include the full ticket URL, not just the number. The build fails with a lint message: * Module ipaserver.plugins.dogtag ipaserver/plugins/dogtag.py:1903: [E1123(unexpected-keyword-arg), kra.get_client] Unexpected keyword argument 'password_file' in constructor call) ipaserver/plugins/dogtag.py:1903: [E1120(no-value-for-parameter), kra.get_client] No value for argument 'certdb_password' in constructor call) I have pki-base-10.2.0-3.fc21.noarch, where NSSCryptoProvider indeed takes password and not password_file. If a newer version is required you should put it in the spec. ipaserver.install.certs.CertDB.install_pem_from_p12: If p12_passwd is missing and pwd_fname is None, this will crash. Please document how the method should be called. And assert that exactly one of p12_passwd and pwd_fname is given. ipaserver.plugins.dogtag.kra.get_client: Should every caller check if this returns None? If not, raise an exception instead. If yes, at least mention it in a docstring. Typo in commit message: modified to use Dogtag's CLI *go* create -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Announcing FreeIPA 4.1.0
The FreeIPA team is proud to announce FreeIPA v4.1.0! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds will be available for Fedora 21. Builds for Fedora 20 are available in the official COPR repository [https://copr.fedoraproject.org/coprs/mkosek/freeipa/]. == Highlights in 4.1 == === Enhancements === * New concept of 'ID Views' allowing FreeIPA administrator to define or override POSIX attributes for users/groups coming from trusted domains. Such users then do not need to have POSIX attributes defined in the Active Directory to authenticate to FreeIPA clients. It also allows to assign particular view to selected hosts or hostgroups, thus allowing having a user / group with different POSIX attributes on different hosts. Per-host overrides should be used with extreme care! [http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust] * New tool ipa-cacert-manage to manually renew or change FreeIPA PKI CA certificate [http://www.freeipa.org/page/V4/CA_certificate_renewal] * DNSSEC Support * OTP authentication plugin now prevents multiple usage of token codes on a single FreeIPA server * DNS interface now supports adding DNS root zone (.) allowing admin to for example centrally override DNS root hints. * DNS zone adding interface was simplified - name server and it's IP address is no longer required. The list of authoritative name servers are read from LDAP * Seamless signing of FreeIPA CA us a subCA in Windows Certificate Services [https://fedorahosted.org/freeipa/ticket/4496] * New option --request-cert to optionally request host certificates on FreeIPA clients (to /etc/ipa/nssdb/) * CLI and Web UI for 'retrive keytab' and 'create keytab' authorization [http://www.freeipa.org/page/V4/Keytab_Retrieval_Management] * Services can now be assigned as members of RBAC roles * `ipa` command run with `-vv` option now prints JSON request and reply exchanged with the FreeIPA server. `-vvv` also prints HTTP communication. * Description attribute is no longer required (e.g. in groups, sudo command groups or others) given that it is also not required in schema. * Packages can be now built and installed on RHEL/CentOS 7.0 * ipa-replica-prepare now waits for the replica DNS record to be available to fix race conditions in automated test environments * Port 8443 is now checked before server installation to prevent failures in configuring PKI which uses the port === Bug fixes === * Server installers can now handle hosts with multiple IPv4 or IPv6 addresses * DNS zone interface no longer accepts `--class` option as it had no effect as FreeIPA DNS only supports 'IN' class. * ipa-ldap-upgrade restores Directory Server settings when upgrade fails * SSLv3.0 (CVE-2014-3566) ciphers are now disabled on new installations === DNSSEC Support === FreeIPA now automates basic key management for Domain Name System Security Extensions (DNSSEC) [http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Overview]. Before you start signing you DNS zones you have to install DNSSEC key master role to an existing FreeIPA DNS server using command: ipa-dns-install --dnssec-master It allows you to enable DNSSEC for particular DNS zone using command: ipa dnszone-mod zone.name.example. --dnssec=true This command will generate new zone keys, distribute keys to all FreeIPA DNS servers and configure all servers to independently sign the zone. Please keep in mind that it can take few minutes before all servers sign the zone. Known Limitations * User has to manually upload Delegation Signer (DS) record [http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Records] to parent DNS zone to establish chain of trust. * User has to manually confirm that DS record in parent zone was published otherwise Key Signing Key (KSK) [http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Key_management] will not be rotated. This confirmation has to be done on FreeIPA server with key master role using following command: sudo -u ods ods-ksmutil key ds-seen --zone zone.name.example. --keytag 12345 * Keytag can be obtained from dig output: dig +dnssec zone.name.example. DS * User is not notified about automated key rotation. This does not lower stability of the system because of `ds-seen` logic mentioned above. * Key and signing policy cannot be changed using FreeIPA tools. Currently it is stored in `/etc/opendnssec/kasp.xml` file on DNSSEC key master server. Manual changes to `kasp.xml` will be lost during next FreeIPA upgrade. * Only one FreeIPA server can have DNSSEC key master role: ** *Please plan carefully, current version does not allow you to easily move DNSSEC master role to a different server.* ** DNSSEC key management will not work when the key master is not running, i.e. DNSSEC keys will not be rotated according to the policy and keys for new zones will not be generated. == Known Issues == * Directory
Re: [Freeipa-devel] [PATCH] 356 Added command to retrieve vault transport certificate.
Hi, Dne 22.10.2014 v 22:06 Endi Sukma Dewata napsal(a): A new command has been added to retrieve the vault transport certificate and optionally save it into a file. The vault archive and retrieve command has been modified to retrieve the transport certificate and store it locally for subsequent usage. This way it's no longer necessary to manually import the transport certificate into the client's NSS database. As part of the CA certificate renewal feature in 4.1, I have added a LDAP certificate store to IPA, see http://www.freeipa.org/page/V4/CA_certificate_renewal. Currently it supports only CA certificates, but can be extended to support end entity certificates rather easily. If you use it for the vault transport certificate, it can be added to the client NSS database automatically on install. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0020] Fix zone name to directory name conversion in BINDMgr
Hello, Fix zone name to directory name conversion in BINDMgr. https://fedorahosted.org/freeipa/ticket/4657 -- Petr^2 Spacek From dd948e32277acca6dc218e02b8f5c22d6ebc81c3 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 23 Oct 2014 14:13:38 +0200 Subject: [PATCH] Fix zone name to directory name conversion in BINDMgr. https://fedorahosted.org/freeipa/ticket/4657 --- ipapython/dnssec/bindmgr.py | 32 +++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/ipapython/dnssec/bindmgr.py b/ipapython/dnssec/bindmgr.py index 55765e16b59259f24bcb25b2276835362adbadc9..9c831c241d53ec3dd996b8fd8c3106a92998deb8 100644 --- a/ipapython/dnssec/bindmgr.py +++ b/ipapython/dnssec/bindmgr.py @@ -120,10 +120,40 @@ class BINDMgr(object): with open(%s/%s.dn % (workdir, basename), 'w') as dn_file: dn_file.write(attrs['dn']) +def get_zone_dir_name(self, zone): +Escape zone name to form suitable for file-system. + +This method has to be equivalent to zr_get_zone_path() +in bind-dyndb-ldap/zone_register.c. + +if zone == dns.name.root: +return @ + +# strip final (empty) label +zone = zone.relativize(dns.name.root) +escaped = +for label in zone: +for char in label: +c = ord(char) +if ((c = 0x30 and c = 0x39) or # digit + (c = 0x41 and c = 0x5A) or# uppercase + (c = 0x61 and c = 0x7A) or# lowercase + c == 0x2D or# hyphen + c == 0x5F): # underscore +if (c = 0x41 and c = 0x5A): # downcase +c += 0x20 +escaped += chr(c) +else: +escaped += %%%02X % c +escaped += '.' + +# strip trailing period +return escaped[:-1] + def sync_zone(self, zone): self.log.info('Synchronizing zone %s' % zone) zone_path = os.path.join(paths.BIND_LDAP_DNS_ZONE_WORKDIR, -zone.to_text(omit_final_dot=True)) +self.get_zone_dir_name(zone)) try: os.makedirs(zone_path) except OSError as e: -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0020] Fix zone name to directory name conversion in BINDMgr
On 23/10/14 14:15, Petr Spacek wrote: Hello, Fix zone name to directory name conversion in BINDMgr. https://fedorahosted.org/freeipa/ticket/4657 ACK, signing the root zone works fine now -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0001] migrate-ds: Fix to exclude attrs with uppercase characters from migration
On 10/21/2014 09:12 AM, Thorsten Scherf wrote: Just realized that I sent the email without body. Mea culpa. Here we go: Fix entry_attr case to make migrate-ds work again Migration of a OpenLDAP based directory to FreeIPA with some objectclasses removed failed because of --user-ignore-attribute didn't work. Fixed that by making LDAPEntry object entry_attry lowercased. https://fedorahosted.org/freeipa/ticket/4620 On [Mon, 20.10.2014 11:57], Thorsten Scherf wrote: I don't see a guarantee that attr_blacklist's items will always be lowercase. Wouldn't lowercasing the blacklist be safer? Something like: attr_blacklist_set = {a.lower() for a in attr_blacklist} ... if attr.lower() in attr_blacklist_set A few lines down is the objectclass blacklist handling; I think it needs similar treatment. Looks like the code is duplicated in _pre_migrate_group; it would be nice to pull it out into a function and call it from both places. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] issues with Debian port
Some updates: - rebased to 4.0.4, thanks for the release :) - mod_nss issues got fixed, silly me.. On 21.10.2014 18:36, Timo Aaltonen wrote: client install will fail with: 2014-10-21T08:29:30Z INFO trying https://sid.tyrell/ipa/json 2014-10-21T08:29:30Z DEBUG Created connection context.rpcclient 2014-10-21T08:29:30Z DEBUG Try RPC connection 2014-10-21T08:29:30Z INFO Forwarding 'ping' to json server 'https://sid.tyrell/ipa/json' 2014-10-21T08:29:30Z ERROR Cannot connect to the server due to generic error: error marshalling data for XML-RPC transport: argument 2 must be string or None, not int This is because I hadn't ported a patch from the ubuntu branch which got applied some six months ago.. d'oh. The issue is that our pykerberos is newer, and needs this: diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 81e7aa3..ce5f2a0 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -380,7 +380,7 @@ class KerbTransport(SSLTransport): service = HTTP@ + host.split(':')[0] try: -(rc, vc) = kerberos.authGSSClientInit(service, self.flags) +(rc, vc) = kerberos.authGSSClientInit(service, gssflags=self.flags) except kerberos.GSSError, e: self._handle_exception(e) now client install on the server almost works, but only almost because.. Also, I'm reusing the RedHatService() stuff for services that have native systemd jobs, but in the later phases of install (and during uninstall) ipactl is trying to (re)start 'dirsv@.service' and not 'dirsrv@REALM.service' like in the dirsrv phase.. any hints here would be welcome as well. Otherwise I'll just use DebianSysvService() for dirsrv too.. ..this is still something I haven't figured out. Dirsrv restart after LDAP updates fail, so client install on the server will fail because it can't get SASL up. Something for tomorrow then.. still got until Sunday to get this fixed and uploaded and then accepted to unstable by ftpmasters, or it won't migrate to Jessie in time for the freeze. But that's an eternity! :) Oh and the web UI is blank when I try it. Does the client install fail have something to do with it? -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] issues with Debian port
On Fri, 24 Oct 2014, Timo Aaltonen wrote: Some updates: - rebased to 4.0.4, thanks for the release :) - mod_nss issues got fixed, silly me.. On 21.10.2014 18:36, Timo Aaltonen wrote: client install will fail with: 2014-10-21T08:29:30Z INFO trying https://sid.tyrell/ipa/json 2014-10-21T08:29:30Z DEBUG Created connection context.rpcclient 2014-10-21T08:29:30Z DEBUG Try RPC connection 2014-10-21T08:29:30Z INFO Forwarding 'ping' to json server 'https://sid.tyrell/ipa/json' 2014-10-21T08:29:30Z ERROR Cannot connect to the server due to generic error: error marshalling data for XML-RPC transport: argument 2 must be string or None, not int This is because I hadn't ported a patch from the ubuntu branch which got applied some six months ago.. d'oh. The issue is that our pykerberos is newer, and needs this: diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 81e7aa3..ce5f2a0 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -380,7 +380,7 @@ class KerbTransport(SSLTransport): service = HTTP@ + host.split(':')[0] try: -(rc, vc) = kerberos.authGSSClientInit(service, self.flags) +(rc, vc) = kerberos.authGSSClientInit(service, gssflags=self.flags) except kerberos.GSSError, e: self._handle_exception(e) now client install on the server almost works, but only almost because.. Also, I'm reusing the RedHatService() stuff for services that have native systemd jobs, but in the later phases of install (and during uninstall) ipactl is trying to (re)start 'dirsv@.service' and not 'dirsrv@REALM.service' like in the dirsrv phase.. any hints here would be welcome as well. Otherwise I'll just use DebianSysvService() for dirsrv too.. ..this is still something I haven't figured out. Dirsrv restart after LDAP updates fail, so client install on the server will fail because it can't get SASL up. Something for tomorrow then.. still got until Sunday to get this fixed and uploaded and then accepted to unstable by ftpmasters, or it won't migrate to Jessie in time for the freeze. But that's an eternity! :) Since dirsrv@.service is instance-based, when instance is missing we rewrite dirsrv@.service to be dirsrv.target. This means 'start whatever is requiring this synchronization point'. Enabling instances of dirsrv means they are symlinked as dependencies on dirsrv.target: # ls -l /etc/systemd/system/dirsrv.target.wants/ total 0 lrwxrwxrwx. 1 root root 39 Oct 20 17:56 dirsrv@IPACLOUD-TEST.service - /usr/lib/systemd/system/dirsrv@.service Oh and the web UI is blank when I try it. Does the client install fail have something to do with it? check /var/log/ipaclient-install.log -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0074] Make token window sizes configurable
This patch gives the administrator variables to control the size of the authentication and synchronization windows for OTP tokens. https://fedorahosted.org/freeipa/ticket/4511 NOTE: There is one known issue with this patch which I don't know how to solve. This patch changes the schema in install/share/60ipaconfig.ldif. On an upgrade, all of the new attributeTypes appear correctly. However, the modifications to the pre-existing objectClass do not show up on the server. What am I doing wrong? After modifying ipaGuiConfig manually, everything in this patch works just fine. From 50ac86b317c406f7854ad7c9d568a5d62445eeab Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Thu, 23 Oct 2014 15:18:26 -0400 Subject: [PATCH] Make token window sizes configurable This patch gives the administrator variables to control the size of the authentication and synchronization windows for OTP tokens. https://fedorahosted.org/freeipa/ticket/4511 --- API.txt | 6 +- VERSION | 4 +- daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c | 195 +- daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.h | 17 ++ daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 77 +++-- daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c | 5 +- daemons/ipa-slapi-plugins/libotp/libotp.c | 133 +++ daemons/ipa-slapi-plugins/libotp/libotp.h | 30 ++-- install/share/60ipaconfig.ldif| 7 +- install/ui/src/freeipa/serverconfig.js| 10 ++ install/ui/test/data/ipa_init.json| 3 +- install/updates/40-otp.update | 6 + ipalib/plugins/config.py | 31 +++- ipalib/plugins/internal.py| 1 + 14 files changed, 334 insertions(+), 191 deletions(-) diff --git a/API.txt b/API.txt index 491d7a76fd1d2d50208d314d1600839ce295..a10dd0475dd032294473aeddc6e65512367897b9 100644 --- a/API.txt +++ b/API.txt @@ -514,7 +514,7 @@ args: 0,1,1 option: Str('version?', exclude='webui') output: Output('result', None, None) command: config_mod -args: 0,25,3 +args: 0,29,3 option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') @@ -536,6 +536,10 @@ option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name=' option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius', u'otp')) option: Str('ipauserobjectclasses', attribute=True, autofill=False, cli_name='userobjectclasses', csv=True, multivalue=True, required=False) option: IA5Str('ipausersearchfields', attribute=True, autofill=False, cli_name='usersearch', multivalue=False, required=False) +option: Int('ipawindowauthhotp', attribute=True, autofill=False, cli_name='hotp_auth_window', maxvalue=1000, minvalue=1, multivalue=False, required=False) +option: Int('ipawindowauthtotp', attribute=True, autofill=False, cli_name='totp_auth_window', maxvalue=2678400, minvalue=30, multivalue=False, required=False) +option: Int('ipawindowsynchotp', attribute=True, autofill=False, cli_name='hotp_sync_window', maxvalue=1000, minvalue=1, multivalue=False, required=False) +option: Int('ipawindowsynctotp', attribute=True, autofill=False, cli_name='totp_sync_window', maxvalue=2678400, minvalue=30, multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) option: Str('setattr*', cli_name='setattr', exclude='webui') diff --git a/VERSION b/VERSION index b0d41e5e1ec59ddefbdcccf588b97bac2ff798ee..9ac8551510a525822a1e356e7241f52cebfbe288 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=108 -# Last change: pvoborni - manage authorization of keytab operations +IPA_API_VERSION_MINOR=109 +# Last change: npmccallum - OTP window configuration diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c index 3ab5668edd7edcb9eaf247c18b964f6584c9d439..4b29d6f7794fcadd4f5de08526d4d27dffd6417d 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c @@ -40,15 +40,34 @@ #include authcfg.h #include ipapwd.h -#include pratom.h +#include pratom.h +#include plstr.h -static struct config { -struct config *next; +#define DEFAULT_AUTH_TOTP 300 +#define DEFAULT_AUTH_HOTP 10 +#define DEFAULT_SYNC_TOTP 86400 +#define DEFAULT_SYNC_HOTP 100 +#define DEFAULTS_AUTH {
Re: [Freeipa-devel] issues with Debian port
On 24.10.2014 00:47, Alexander Bokovoy wrote: On Fri, 24 Oct 2014, Timo Aaltonen wrote: Since dirsrv@.service is instance-based, when instance is missing we rewrite dirsrv@.service to be dirsrv.target. This means 'start whatever is requiring this synchronization point'. Enabling instances of dirsrv means they are symlinked as dependencies on dirsrv.target: # ls -l /etc/systemd/system/dirsrv.target.wants/ total 0 lrwxrwxrwx. 1 root root 39 Oct 20 17:56 dirsrv@IPACLOUD-TEST.service - /usr/lib/systemd/system/dirsrv@.service right, I hadn't changed LIB_SYSTEMD_SYSTEMD_DIR in paths.py.. doing that fixed this issue, thanks! Oh and the web UI is blank when I try it. Does the client install fail have something to do with it? check /var/log/ipaclient-install.log Well it fails because it can't connect to the server: 2014-10-23T22:10:57Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2014-10-23T22:10:57Z DEBUG cert valid True for CN=sid.tyrell,O=SID 2014-10-23T22:10:57Z DEBUG handshake complete, peer = 192.168.1.31:443 2014-10-23T22:10:57Z ERROR Cannot connect to the server due to generic error: Authentication method not supported: sasl mechanism not supported I thought it was because of the dirsrv restart failing before this step, but after fixing it the failure is still the same.. -- t ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel