Re: [Freeipa-devel] [PATCH] 0025 Respect UID and GID soft static allocation.

[Martin Basti]

On 03/11/14 10:28, David Kupka wrote:

On 10/30/2014 10:42 AM, Martin Basti wrote:

On 29/10/14 17:23, David Kupka wrote:

On 10/29/2014 02:34 PM, David Kupka wrote:

On 10/24/2014 03:05 PM, David Kupka wrote:

On 10/24/2014 01:06 PM, David Kupka wrote:

On 10/24/2014 10:43 AM, Martin Basti wrote:

On 24/10/14 09:51, David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/4585

NACK

1)
Why is there line with 'DS System User?' The comment should 
depend on

service.

+args = [
+paths.USERADD,
+'-g', group,
+'-c', 'DS System User',
+'-d', homedir,
+'-s', shell,
+'-M', '-r', name,
+]


This was part of the original code and I didn't notice it. Nice 
catch,

thanks.



2)
code create_system_user is duplicated between base and redhat tasks
with
platform dependent changes.
IMO it would be better to have one method to create user, with
keyword
arguments.  And then platform dependent method which will call
method to
create user with appropriate arguments (or with default arguments)



You're right it was ugly.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


I shouldn't break SOLID principles.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Using super is probably better that explicit naming of parent class.
Let user (developer) override UID/GID and hope that he knows why ...


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel






In your former patch you had pki homedir path VAR_LIB_PKI_DIR :

+if name == 'pkiuser':
+uid = 17
+gid = 17
+homedir = paths.VAR_LIB_PKI_DIR
+shell = paths.NOLOGIN
+comment = 'CA System User'

in last patch you change it back to:

  homedir=paths.VAR_LIB,

so what is the correct path?



The setup package (soft static allocation) claims that pkiuser should 
use '/usr/share/pki' as home directory. Since pkiuser has 
/sbin/nologin set as a login shell it's unable to login and does't 
need home directory at all.
We could use '--system' option of useradd utility to skip home 
directory creation or change to proposed value or just leave the old 
value and all will result in no change in behavior.
I'm not sure if the '--system' option is available universally. IIRC 
it used to be Red Hat-like-systems specific extension.




If there is no reason to change homedir, don't do it.
I will continue with reviewing then.
Martin^2

--
Martin Basti

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Question how memberof plugin works

[Martin Basti]

On 31/10/14 18:05, Ludwig Krispenz wrote:


On 10/31/2014 05:31 PM, Petr Vobornik wrote:

On 31.10.2014 16:54, Martin Basti wrote:

Hello list,

I ran upgrade (related steps listed in order):

ipa-ldap-updater --upgrade
- applying update files (including 55-pbacmemberof.update)
- updating ACI (new permissions created, added to existing privilege)
ipa-upgradeconfig
- setting up new service (which uses privilege with new permission)

At the end I was expecting, the privilege will missing the new
permission (memberOf attribute), but I tested it in lab, and membership
was OK.

How the memberof plugin works?


I know of 
http://directory.fedoraproject.org/docs/389ds/design/memberof-plugin.html 
If there is other source, I would like to see it as well.

I don't know of another doc, but the mechanism of memberof is quit simple:

In the plugin config you define one or more groupattr and a 
memberofattr, eg

|memberofgroupattr: member
memberofgroupattr: uniqueMember
memberofattr: memberOf

then for any occurrence of the groupattr a value for the memberofattr in the 
referenced entry will be created, eg:

||dn: cn=group,dc=example
member: cn=user,dc=example

will trigger the addition of the memberofattr to the referenced entry cn=users

dn: cn=user,dc=example
objectclass: inetUser
memberOf: cn=group,dc=example|

This happens for any add/delete of a |memberofgroupattr or when the 
memberof fixup task is run.


You have to make sure that the entry which you expect the memberof has 
an objectclass allowing the memberof attribute,


|




We had similar issue with new DNS installation, where meberOf 
attributes

was missing, if DNS was installed later. But I cant reproduce this
behavior during upgrade. (Fix was use 55-pbacmemberof.update as last
step of bind service installation)


Was fixed by a fixup task call in:

https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=895f350ebf5f002a8ba5aff3d521640b12aa3cde 





PS: we had a case where user had broken DNS privileges and
55-pbacmemberof.update helps. But he had multiple errors and it 
could be

cascade effect.




Thank you for explanation Ludwig.

--
Martin Basti

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0249-0250] Propagate DNS updates changes from LDAP to signed version of the zone

[Petr Spacek]

On 23.4.2014 18:16, Petr Spacek wrote:

Hello,

this patch set enables DNS updates to secure zones and also propagates changes
made in LDAP to secure zones.

NSEC3 doesn't work for some reason so don't waste time messing with NSEC3PARAM
:-)


This is delayed push notice:
170d38dd1b27a5f78eb96fe8c80141f6dd56ec97
98d3deac7b75dfe71f6b0e1306c4c52e38e27f3f

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0246-0248] Follow query/transfer/update policies for secure zones

[Petr Spacek]

On 7.5.2014 15:22, Petr Spacek wrote:

On 23.4.2014 18:14, Petr Spacek wrote:

This patch set configures secure zones according to policies in LDAP.


Patch 246 v2 fixes incorrect ATTR_NONNULLS usage which causes segfaults when
compiled with -O0.

Patch 246 v2 obsoletes patch 253.


This is delayed push notice:
b002846b94826d89e7577ad2ed3d852e5296e9d5
748602ed229d3925cc838a9baf2c9888aef7fb3c
0cee0a351c03522aea8ae643644776ed34b5c01f

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0273-0274] Bump NVR to 5.0Update README and NEWS: DNSSEC and changes in forwarding semantics

[Petr Spacek]

On 24.6.2014 17:06, Petr Spacek wrote:

Hello,

it's release time!

Bump NVR to 5.0 and update README and NEWS to describe DNSSEC support and
changes in forwarding semantics.


This is delayed push notice:
d093af67072e44ce65be04c7267c4dbaa6cadf08
c12f72dd3edf34c943a108f90c9fd0dac82a716b

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0239-0243] Refactor ldap_parse_master_zoneentry()

[Petr Spacek]

On 3.6.2014 10:41, Petr Spacek wrote:

On 6.5.2014 22:11, Lukas Slebodnik wrote:

On (06/05/14 17:15), Petr Spacek wrote:

On 6.5.2014 14:41, Tomas Hozza wrote:

- Original Message -

Hello,

This patch set attempts to move ldap_parse_master_zoneentry() a little bit
closer to sane code.

It is preparation for
https://fedorahosted.org/bind-dyndb-ldap/ticket/56

--
Petr^2 Spacek



Patches look good.

ACK.

ACKing of version 2 of the patch 242 will follow. The patch 243 introduced
new compilation
warning that Peter is aware of. Unfortunately we are unable to find the
root cause of it,
so leaving it as is for now...


I managed to find  fix one problem (see new version of the patch
243) but GCC still complains.

../../src/ldap_helper.c: In function 'update_zone':
../../src/ldap_helper.c:2334:34: error: 'data_changed' may be used
uninitialized in this function [-Werror=maybe-uninitialized]
  if (sync_state == sync_finished  data_changed == ISC_TRUE)
  ^
../../src/ldap_helper.c:2218:16: note: 'data_changed' was declared here
  isc_boolean_t data_changed;

On my machine with gcc-4.8.2-7.fc20.x86_64 this happens only with -O2.


The same problem with -01,-Os,-O2 or -O3

I doubt it is false possibive, because I could reproduce it even with
gcc-4.9.0-1.fc21.x86_64


I'm not able to reproduce this with clang-3.4-6.fc20.x86_64 but it is
no so surprising - Clang didn't catch even the first case (fixed by
patch version 2).

Any hint what is wrong or how to refactor code will be appreciated! ;-)


I think it can be some kind of optimization in function zone_sync_apex.
You can try to debug this function with plugin -O2-build :-)

The warning can be suppresed with initialising variable before the 1st CHECK.
It will not work if you try to initialize later.


Yesterday I have discussed this with jkratoch. We weren't able to find out
case where would initialization in ldap_parse_master_zoneentry() cause any
problem so I have added initialization there.


This is delayed push notice:
1aff693f77ef3f2e7f059b52becb5b178eb7b194
04fa577e67543a0b07db329e1ad7fb86c48896ff
2e45aa1d7b83bc33e31b87e919651530944553fb
4fcbaaabf94d9bf2f6942f2ebbc40fed9d2c41a6
f06a0a7375e97d7d275290d8331172fea73be6a4

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0270-0271] Add TLSA and DLV RR types to LDAP schema

[Petr Spacek]

On 25.6.2014 14:29, Martin Basti wrote:

On Tue, 2014-06-24 at 17:04 +0200, Petr Spacek wrote:

Hello,

Add TLSA and DLV RR types to LDAP schema.

Those RR types will be handy for DNSSEC users.


Patch 270 LGTM
Patch 271 NACK:
You have to add the 'TLSARecord' attribute to idnsRecord objectclass


This is delayed push notice:
eae0035df2a510512844f602acc70c096fcde2b4
174190a582825478a555c722e9e0314770b895a5

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0261-0262] Support run-time changes in idnsSecInlineSigning attribute

[Petr Spacek]

On 17.6.2014 16:41, Tomas Hozza wrote:

- Original Message -

Hello,

This patch set allows you to change DNSSEC zone configuration at run-time.

--
Petr^2  Spacek


Looks good.

ACK.


This is delayed push notice:
5cede8e6f666aeec48aa47ba18a143f2037216f8

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0251-0256] Add support for NSEC3

[Petr Spacek]

On 21.5.2014 13:56, Tomas Hozza wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05/21/2014 11:33 AM, Petr Spacek wrote:

On 7.5.2014 15:27, Petr Spacek wrote:

On 29.4.2014 23:34, Petr Spacek wrote:

This patch set adds support for NSEC3. See commit messages for details.


Patch 253 was obsoleted by patches 244v2 and 246v2.

You can download latest  greatest version from dnssec branch on github:

https://github.com/spacekpe/bind-dyndb-ldap/tree/dnssec


Patch 256v2 removes dead code from zone_master_reconfigure_nsec3param()
function.

You can download latest  greatest version from dnssec branch on github.

This doesn't solve a race condition somewhere in start-up sequence, I'm
looking into it.


Hi.

I tested and reviewed patches 244-256 (all latest versions) and tested
thehttps://github.com/spacekpe/bind-dyndb-ldap/tree/dnssec  HEAD.

Everything works as expected in constraints described in commit messages.

There is still a race condition with signing that Petr is aware of and
is working on it. (The zone is sometimes not signed if started using
systemd).

So I'm ACKing the patch-set 244-256


This is delayed push notice:
c125ae548b77fffc5af9fc9c5e0f5b3c0b83bfbb
3b120f9a1536b56616f0c2da946039bcdb548025
f72976d1f73470fbbd00791d2cb8f823d9053f61
9ae956c448b0b60123e2d26eb60b37eab08b4393
b26e562c7dc19cca9cfcd51907ecbdeb0d8856f6

Patch 253 was obsoleted by patches 244v2 and 246v2.

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0258] Fix run-time zone addition for secure zones

[Petr Spacek]

On 17.6.2014 10:36, Tomas Hozza wrote:

- Original Message -

Subject: Re: [Freeipa-devel] [PATCH 0258] Fix run-time zone addition for
secure zones
Date: Wed, 04 Jun 2014 17:34:29 +0200
From: Petr Spacekpspa...@redhat.com
Organization: Red Hat
To:freeipa-devel@redhat.com

On 3.6.2014 10:53, Petr Spacek wrote:

 Hello,
 
 Fix run-time zone addition for secure zones.


Here comes fix for the fix ...

We really need a test-suite for bind-dyndb-ldap.


 https://fedorahosted.org/bind-dyndb-ldap/ticket/56


--
Petr^2  Spacek





ACK.


This is delayed push notice:
7589888b70f23c10b0a215cf73d9444677df04d6

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0263-0265] Support root master zone in LDAP Follow BIND semantics for forwarders

[Petr Spacek]

On 17.6.2014 16:41, Tomas Hozza wrote:

- Original Message -

Hello,

This patch set contains necessary changes for supporting root master zone in
LDAP. I had to remove one hack so now we follow BIND semantics for
forwarders.

Please see commit messages.

https://fedorahosted.org/bind-dyndb-ldap/ticket/122

--
Petr^2  Spacek


Looks good.

ACK.


This is delayed push notice:
1c9b7ec800b0cbdba6032ec4fd1d41cff6ce5e6d
bff6d68ac200ea1ab543b090ab2763e2437a48ce
6c212c81f1297bef844cf4c6d6f36fc8231e4a45

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0260] Add wrappers for isc_task_*exclusive()

[Petr Spacek]

On 17.6.2014 16:41, Tomas Hozza wrote:

- Original Message -

Hello,

Add wrappers for isc_task_*exclusive().

This patch replaces scattered isc_task_* calls and associated locking to one
place. It helps with debugging sometimes.

--
Petr^2  Spacek


Looks good.

ACK.


This is delayed push notice:
d97e3905fd73839e8abcde8e7ddfb99eefeb22fe

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0269] Silence GCC warning about uninitialized ldap_writeback

[Petr Spacek]

On 24.6.2014 17:53, Lukas Slebodnik wrote:

On (24/06/14 16:46), Petr Spacek wrote:

Hello,

Silence GCC warning about uninitialized ldap_writeback.

It seems like false positive, I can't imagine how ldap_writeback could be
used without prior initialization.

--
Petr^2  Spacek
From eb253b58d6214b3f94d22c3ec2dcf62d0103ad46 Mon Sep 17 00:00:00 2001
From: Petr Spacekpspa...@redhat.com
Date: Mon, 23 Jun 2014 17:02:08 +0200
Subject: [PATCH] Silence GCC warning about uninitialized ldap_writeback.

Signed-off-by: Petr Spacekpspa...@redhat.com
---
src/ldap_helper.c | 4 
1 file changed, 4 insertions(+)

diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 
43bacf779f44a709b0cefd638826633b9d2d8891..a7a782fdfc5ae4d28b50155c9614d66a427dc3e0 
100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -2130,7 +2130,11 @@ zone_sync_apex(const ldap_instance_t * const inst,
isc_boolean_t soa_tuple_alloc = ISC_FALSE;
isc_uint32_t curr_serial;

+   REQUIRE(ldap_writeback != NULL);
+
INIT_LIST(rdatalist);
+   *ldap_writeback = ISC_FALSE; /* GCC */
+
CHECK(setting_get_str(fake_mname, inst-local_settings,
  fake_mname));
CHECK(ldap_parse_rrentry(inst-mctx, entry, name, fake_mname,
--
1.9.3


ACK


This is delayed push notice:
eb253b58d6214b3f94d22c3ec2dcf62d0103ad46

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0259] Fix run-time zone addition for invalid secure zones

[Petr Spacek]

On 17.6.2014 16:40, Tomas Hozza wrote:

- Original Message -

Hello,

Fix run-time zone addition for invalid secure zones.

It is important*not*  to delete invalid zones to prevent
ldap_parse_master_zoneentry() from entering infinite cycle.

Zone addition in ldap_parse_master_zoneentry() enforces serial
write-back to LDAP. This write generates LDAP modify event which
again triggers ldap_parse_master_zoneentry() and so on.

https://fedorahosted.org/bind-dyndb-ldap/ticket/56

--
Petr^2  Spacek


Looks good.

ACK.


This is delayed push notice:
8fe1300f4e512a62cf9e5c3038538d52c176fa29

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0033] Remove trivial path constants

[Petr Spacek]

On 4.10.2014 01:58, Gabe Alford wrote:

Thanks Petr. Updated patch attached.


Petr^3, is it okay now?

Petr^2 Spacek



On Tue, Sep 30, 2014 at 10:59 AM, Petr Viktorin pvikt...@redhat.com wrote:


On 09/30/2014 05:13 AM, Gabe Alford wrote:


Updated patch to fix merge conflicts from recent changes.

On Wed, Sep 24, 2014 at 8:34 PM, Gabe Alford redhatri...@gmail.com
mailto:redhatri...@gmail.com wrote:

 Hello,

 Patch for https://fedorahosted.org/freeipa/ticket/4399. Let me know
 if I missed any.

 Thanks,

 Gabe



Thanks for the patch, and sorry for the delay!

ipaserver/tools/ipa-upgradeconfig:
The `filename` and `ca_file` aren't module-level constants; I think in
this case they improve readability.
The ticket calls for removing module-level lines like:
 NSSWITCH_CONF = paths.NSSWITCH_CONF
which are just silly, but assigning a name locally to a global constant is
a valid thing to do -- even if the local name just says the file we're
working on now.


  -ca_file = paths.ALIAS_CACERT_ASC

-if os.path.exists(ca_file):
+if os.path.exists(paths.SYSCONFIG_HTTPD):



Whoops!


install/wsgi/plugins.py:

  -PLUGINS_DIR = paths.IPA_JS_PLUGINS_DIR

-


[...]


-if not os.path.isdir(PLUGINS_DIR):
+if not os.path.isdir(paths.IPA_CA_CSR):



Whoops too!


ipaplatform/fedora/tasks.py:
ipa-client/ipa-install/ipa-client-install:
ipaserver/install/dsinstance.py:
ipaserver/install/httpinstance.py:
Again, I'd not change the target_fname, filepath.


ipapython/sysrestore.py:
Again, `SYSRESTORE_PATH` describes better what we do with `paths.TMP`, so
I'd prefer keeping it.


ipaserver/install/adtrustinstance.py:
I don't think we want to convert the self.* to constants.


ipaserver/install/certs.py:
I'd leave NSS_DIR as it is, rather than lose the comment.


ipapython/ipautil.py:
ipaserver/install/ldapupdate.py:
ipalib/session.py:
ipaserver/install/bindinstance.py:
SHARE_DIR, UPDATES_DIR, and krbccache_dir, NAMED_CONF (respectively) need
to stay, unless you also replace them in everything that uses them.

Be sure to run make-lint after doing these changes.


I've rebased, and I made some of the changes as I went along the review.
You can base another revision on the attached patch.


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0274] Add TLSARecord to idnsRecord object class

[Petr Spacek]

On 27.6.2014 09:34, Petr Spacek wrote:

Hello,

Add TLSARecord to idnsRecord object class.


This is delayed push notice:
2d358ccbc323ea6d4339f22b16d419195054e017

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0257] Fix race condition during zone loading

[Petr Spacek]

On 17.6.2014 09:33, Tomas Hozza wrote:

- Original Message -

On 28.5.2014 13:26, Tomas Hozza wrote:

 On 05/27/2014 03:59 PM, Petr Spacek wrote:

 On 27.5.2014 15:54, Petr Spacek wrote:

 Fix race condition during zone loading.
 
 DNS zone has to be added to DNS view before dns_zone_load() is called.
 It is necessary to prevent dns_zone_load() from racing with
 dns_zone_setview().
 
 This race condition sometimes prevents zone from being signed.
 Now the unsigned zone is visible until signing process is complete. This
 mimics BIND behavior for in-line signed zones.
 
 https://fedorahosted.org/bind-dyndb-ldap/ticket/56

 
 And here is the patch...
 

 
 Hi.
 
 When I use bind-dyndb-ldap plugin with this patch, named
 does not start due to:
 
 rbt.c:1379: REQUIRE(name-buffer != ((void *)0)) failed, back trace
 
 (gdb) bt
 #0  0x7f3963924c39 in raise () from /lib64/libc.so.6
 #1  0x7f3963926348 in abort () from /lib64/libc.so.6
 #2  0x7f3966979aee in assertion_failed ()
 #3  0x7f3964b6917a in isc_assertion_failed () from /lib64/libisc.so.95
 #4  0x7f39661ca9da in dns_rbt_fullnamefromnode () from
 /lib64/libdns.so.100
 #5  0x7f396011824b in rbt_iter_getnodename (iter=optimized out,
 nodename=nodename@entry=0x7f39625f8bf0) at rbt_helper.c:46
 #6  0x7f396011839b in rbt_iter_next
 (iterp=iterp@entry=0x7f39625f8b90,
 nodename=nodename@entry=0x7f39625f8bf0) at rbt_helper.c:144
 #7  0x7f3960112d32 in activate_zones
 (task=task@entry=0x7f39668f5790, inst=0x7f39668e4160) at ldap_helper.c:1164
 #8  0x7f396011a20d in barrier_decrement (task=0x7f39668f5790,
 event=0x7f396005b010) at syncrepl.c:138
 #9  0x7f3964b8b836 in run () from /lib64/libisc.so.95
 #10 0x7f396473ff33 in start_thread () from /lib64/libpthread.so.0
 #11 0x7f39639e3ded in clone () from /lib64/libc.so.6
 
 
 It looks like you should use INIT_BUFFERED_NAME(name); used in the
 original code instead of dns_name_init(name, NULL). The macro
 initializes the buffer in name, which is missing in the new code.


Oh yes, it didn't happened on my machine because I have had only single zone
defined in LDAP at the time of testing. Thank you for catching this!

I'm attaching fixed patch. dns_name_reset() is good enough in this case.

--
Petr^2  Spacek


Now it works.

ACK


This is delayed push notice:
129e54db4fb9ccbb85f2445db81d9f0c89722887

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0266] (aka 257.5) Fix zone reloading for in-line signed zones

[Petr Spacek]

On 17.6.2014 10:35, Tomas Hozza wrote:

- Original Message -

Hello,

I forgot to send one patch between no. 257 and 258, so here it is:-)

Fix zone reloading for in-line signed zones.

A invalid secure zone (e.g. without NS records) is now automatically
reloaded when data inside the zone are changed.

https://fedorahosted.org/bind-dyndb-ldap/ticket/56

--
Petr^2  Spacek


ACK.


This is delayed push notice:
f0bedf45b7ed56717d5dc5566cbbf34938eba0ee

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'

[Petr Spacek]

On 16.9.2014 10:36, Martin Kosek wrote:

On 09/16/2014 10:30 AM, Martin Basti wrote:

On 16/09/14 10:29, Petr Spacek wrote:

On 16.9.2014 10:09, Martin Kosek wrote:

On 09/16/2014 09:57 AM, Martin Basti wrote:

On 16/09/14 09:32, Martin Basti wrote:

On 15/09/14 20:31, Martin Kosek wrote:

On 09/15/2014 05:16 PM, Martin Basti wrote:

On 15/09/14 17:10, Petr Spacek wrote:

On 12.9.2014 15:19, Martin Basti wrote:

On 03/09/14 12:45, Martin Basti wrote:

On 03/09/14 12:27, Martin Kosek wrote:

On 09/02/2014 05:46 PM, Petr Spacek wrote:

On 25.8.2014 14:52, Martin Basti wrote:

Patches attached.

Ticket: https://fedorahosted.org/freeipa/ticket/4149

There is a bug in bind-dyndb-ldap (or worse in dirsrv), which
cause the
named
service is stopped after deleting zone.
Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138

Functional ACK, it works for me. It can be pushed if Python gurus are
okay
with
the code.

Is it safe to commit the change given that bind-dyndb-ldap still crash
when
.
is removed? Wouldn't it break our CI tests?

Maybe we should wait until fixed bind-dydnb-ldap is released.
Hopefully it
would be soon.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

It will broke tests, don't push it until bind-dyndb-ldap is fixed.
Currently I'm testing bind-dyndb-ldap related patch.


Added patches 120 and 121, which are required by DNS to work correctly.
Patches 120 and 121 add all DNS replicas to zone apex as NS,
--name-server
option doesn't add NS record, only changes the SOA MNAME attribute

Original and new patches attached.


NACK, unfortunately it doesn't work for me:
# ipa dnszone-add tri.test. --name-server=ns.test.
Administrator e-mail address [hostmaster.tri.test.]:
ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME
record.
To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @
--ns-rec=nameserver'.
Zone name: tri.test.
Active zone: TRUE
Authoritative nameserver: ns.test.
Administrator e-mail address: hostmaster.tri.test.
SOA serial: 1410793406
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE
krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP;
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;

[root@vm-035 rpms]# ipa dnszone-show tri.test. --all --raw
dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example
idnsname: tri.test.
idnszoneactive: TRUE
idnssoamname: ns.test.
idnssoarname: hostmaster.tri.test.
idnssoaserial: 1410793408
idnssoarefresh: 3600
idnssoaretry: 900
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnsallowquery: any;
idnsallowtransfer: none;
idnsAllowDynUpdate: FALSE
idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE
krb5-self * ; grant IPA.EXAMPLE krb5-self * SSHFP;
nsrecord: vm-035.idm.lab.eng.brq.redhat.com.
objectClass: idnszone
objectClass: top
objectClass: idnsrecord

[root@vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
ipa: ERROR: tri.test.: DNS resource record not found


NACKing NACK
ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
you switched order zone and record, it should be
ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname).



BTW, since we are so nicely breaking the dnszone-add interface, can we also
get rid of always asking for Administrator e-mail address?


# ipa dnszone-add tri.test. --name-server=ns.test.
Administrator e-mail address [hostmaster.tri.test.]:

...

Is there any risk in filling that with default as any other attribute? IMO
it would simplify adding zones for one more redundant step. CCing Rob in
case he knows some historical reasons why this is requested every time.

Martin

There is no risk, because ipa-replica-prepare do that with default values


Then let us do this, as we are already simplifying the dnszone-add command.


However, this will not work with root zone .,  and I'm not sure how often an
admin email is used. I think whois is better utility to get contact email.

Also RIPE-203 [1] recommends to use 'hostmaster' alias.

[1] http://www.ripe.net/ripe/docs/ripe-203


This will likely generate tons of invalid e-mail addresses which is somehow
unfortunate.

Please keep in mind that:
1) E-mail hostmaster@ipa.domain.example. will be useful only if
ipa.domain.example. has MX record or at least A/ record (which is usually
not the case for domains).

2) WHOIS is not useful for internal domains which is the main deployment
scenario for IPA, right?


DNS zone . is quite an exception, you are not adding that zone every day. So
I would not keep asking for admin mail just for this one. You can add a
interactive prompt callback to ask in this case and otherwise just use the
default - up to you.

As for the mail alias, this can 

Re: [Freeipa-devel] [PATCH] Coverity fixes for slapi-nis

[Petr Spacek]

On 16.9.2013 09:58, Petr Spacek wrote:

On 2.9.2013 15:58, Alexander Bokovoy wrote:

Hi Nalin,

attached please find two patches that fix minor Coverity issues.

The first patch is for issue 11937 which is a false positive but caught
up wrong use of the helper method -- the method map_data_set_entry()
passes key and value length arguments through to map_data_save_list()
which expects them to be arrays but we pass pointer to the variable.
Luckily, in our case map_data_save_list() never goes beyond element 0 of
the array so the fix is mostly cosmetic.

The second fix is in PAM wrapper in the tests and minor too -- we would
leak a memory if PAM wrapper wasn't called under wrapping condition.

The same patches are in my Fedora people slapi-nis tree, branch
'coverity':
http://fedorapeople.org/cgit/abbra/public_git/slapi-nis.git/log/?h=coverity


ACK


This is late push notice:
41b540bc76068355e076ba95e60780bd95905d77
929a68b13defe46c0f8913440ba28f0476dcbdab

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0025 Respect UID and GID soft static allocation.

[Martin Basti]

On 03/11/14 10:28, David Kupka wrote:

On 10/30/2014 10:42 AM, Martin Basti wrote:

On 29/10/14 17:23, David Kupka wrote:

On 10/29/2014 02:34 PM, David Kupka wrote:

On 10/24/2014 03:05 PM, David Kupka wrote:

On 10/24/2014 01:06 PM, David Kupka wrote:

On 10/24/2014 10:43 AM, Martin Basti wrote:

On 24/10/14 09:51, David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/4585

NACK

1)
Why is there line with 'DS System User?' The comment should 
depend on

service.

+args = [
+paths.USERADD,
+'-g', group,
+'-c', 'DS System User',
+'-d', homedir,
+'-s', shell,
+'-M', '-r', name,
+]


This was part of the original code and I didn't notice it. Nice 
catch,

thanks.



2)
code create_system_user is duplicated between base and redhat tasks
with
platform dependent changes.
IMO it would be better to have one method to create user, with
keyword
arguments.  And then platform dependent method which will call
method to
create user with appropriate arguments (or with default arguments)



You're right it was ugly.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


I shouldn't break SOLID principles.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Using super is probably better that explicit naming of parent class.
Let user (developer) override UID/GID and hope that he knows why ...


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel






In your former patch you had pki homedir path VAR_LIB_PKI_DIR :

+if name == 'pkiuser':
+uid = 17
+gid = 17
+homedir = paths.VAR_LIB_PKI_DIR
+shell = paths.NOLOGIN
+comment = 'CA System User'

in last patch you change it back to:

  homedir=paths.VAR_LIB,

so what is the correct path?



The setup package (soft static allocation) claims that pkiuser should 
use '/usr/share/pki' as home directory. Since pkiuser has 
/sbin/nologin set as a login shell it's unable to login and does't 
need home directory at all.
We could use '--system' option of useradd utility to skip home 
directory creation or change to proposed value or just leave the old 
value and all will result in no change in behavior.
I'm not sure if the '--system' option is available universally. IIRC 
it used to be Red Hat-like-systems specific extension.




ACK

--
Martin Basti

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0034] Missing requires on python-dns

[Petr Spacek]

On 8.10.2014 09:46, Petr Spacek wrote:

Hello,

this is going to be a little bit more interesting.

RHEL/CentOS version of FreeIPA depends on python-dns = 1.11.1-2 but Fedora
version should depend on = 1.12.0.

RHEL contains Git snapshot which is newer than 1.11.1 but is still not
complete 1.12.0. Fedora contains 'proper' 1.11.1 version which is
unfortunately too old.

Fedora bug for rebase to 1.12.0:
https://bugzilla.redhat.com/show_bug.cgi?id=1150396


For now I have copied the necessary method to DNSSEC daemon directly so 
FreeIPA release is not blocked by necessity of having latest python-dns in Fedora.


This thread should be resurrected when Fedora has new-enough python-dns so we 
can drop our copy of the code from FreeIPA source tree.


Petr^2 Spacek


On 7.10.2014 19:34, Gabe Alford wrote:

Done. Update patch to use python-dns = 1.11.1

On Tue, Oct 7, 2014 at 11:26 AM, Martin Basti mba...@redhat.com wrote:


  On 07/10/14 15:58, Gabe Alford wrote:

Forgot to add patch.

On Tue, Oct 7, 2014 at 7:58 AM, Gabe Alford redhatri...@gmail.com wrote:


   Hello,

 Fix for https://fedorahosted.org/freeipa/ticket/4613

  Thanks,

  Gabe



Thank you!

I prefer to use python-dns = 1.11.1, there are some DNSSEC fixes which we
may use in tests.

Could you send updated patch please?



--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 335 Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage

[David Kupka]

On 10/15/2014 04:43 PM, Jan Cholasta wrote:

Hi,

the attached patch fixes https://fedorahosted.org/freeipa/ticket/4629.
It depends on my patches 333 and 334, which are also attached.

(The original patch was posted at
http://www.redhat.com/archives/freeipa-devel/2014-September/msg00454.html.)


How to test:

   1. install server

   2. kinit as admin

   3. run ipa-cacert-manage renew --external-ca, it will produce a CSR

   4. sign the CSR with some external CA to get new IPA CA certificate

   5. run while true; do ldapdelete -H ldap://$HOSTNAME -Y GSSAPI
'cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,suffix';
done in background

   6. run ipa-cacert-manage renew --external-cert-file=path to new IPA
CA certificate --external-cert-file=path to external CA certificate
chain

   7. stop the loop from step 5

   8. run getcert list -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
cert-pki-ca', the request should be in MONITORING state, there should
be no ca-error

Honza



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel




Works for me, ACK.

Please push only the patch freeipa-jcholast-335. Patches 
freeipa-jcholast-333 and freeipa-jcholast-334 was pushed earlier.


--
David Kupka

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 355 Added vault access control.

[Endi Sukma Dewata]

On 10/28/2014 5:35 PM, Endi Sukma Dewata wrote:

On 10/22/2014 3:04 PM, Endi Sukma Dewata wrote:

New LDAP ACIs have been added to allow users to create their own
private vault container, to allow owners to manage vaults and
containers, and to allow members to use the vaults. New CLIs have
been added to manage the owner and member list. For archive and
retrieve operations the access control has to be enforced by the
plugins because the operations only affects KRA. The LDAP schema
has been updated as well.

Ticket #3872

This patch depends on #353-2.


New patch attached to fix the ticket URL. It depends on #353-3.


New patch attached for some cleanups.

--
Endi S. Dewata
From a9714d34d180ce26c3d484fe313c991fa101ccfb Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Fri, 17 Oct 2014 12:05:34 -0400
Subject: [PATCH] Added vault access control.

New LDAP ACIs have been added to allow users to create their own
private vault container, to allow owners to manage vaults and
containers, and to allow members to use the vaults. New CLIs have
been added to manage the owner and member list. For archive and
retrieve operations the access control has to be enforced by the
plugins because the operations only affects KRA. The LDAP schema
has been updated as well.

https://fedorahosted.org/freeipa/ticket/3872
---
 API.txt | 134 +++---
 VERSION |   4 +-
 install/share/60basev4.ldif |   4 +-
 install/updates/40-vault.update |   7 ++
 ipalib/plugins/vault.py | 177 +++-
 5 files changed, 310 insertions(+), 16 deletions(-)

diff --git a/API.txt b/API.txt
index 
b73da0af55a3c514de73ae4e1b2a4d13c01c903d..ee33af74eb2870fcdf1ab7e6781797b348243a8f
 100644
--- a/API.txt
+++ b/API.txt
@@ -4476,12 +4476,13 @@ output: Output('result', type 'bool', None)
 output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: PrimaryKey('value', None, None)
 command: vault_add
-args: 1,10,3
+args: 1,11,3
 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Bytes('data?', cli_name='data')
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, 
required=False)
 option: Str('in?', cli_name='in')
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Str('parent', attribute=False, cli_name='parent', multivalue=False, 
required=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
 option: Flag('rights', autofill=True, default=False)
@@ -4491,13 +4492,40 @@ option: Str('version?', exclude='webui')
 output: Entry('result', type 'dict', Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: PrimaryKey('value', None, None)
+command: vault_add_member
+args: 1,7,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Str('parent?', cli_name='parent')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('version?', exclude='webui')
+output: Output('completed', type 'int', None)
+output: Output('failed', type 'dict', None)
+output: Entry('result', type 'dict', Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+command: vault_add_owner
+args: 1,7,3
+arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Str('parent?', cli_name='parent')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('version?', exclude='webui')
+output: Output('completed', type 'int', None)
+output: Output('failed', type 'dict', None)
+output: Entry('result', type 'dict', Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
 command: vault_archive
-args: 1,11,3
+args: 1,12,3
 arg: 

Re: [Freeipa-devel] [PATCH] 356 Added command to retrieve vault transport certificate.

[Endi Sukma Dewata]

On 10/28/2014 6:26 PM, Endi Sukma Dewata wrote:

On 10/23/2014 6:18 AM, Jan Cholasta wrote:

Hi,

Dne 22.10.2014 v 22:06 Endi Sukma Dewata napsal(a):

A new command has been added to retrieve the vault transport
certificate and optionally save it into a file. The vault archive
and retrieve command has been modified to retrieve the transport
certificate and store it locally for subsequent usage. This way
it's no longer necessary to manually import the transport
certificate into the client's NSS database.


As part of the CA certificate renewal feature in 4.1, I have added a
LDAP certificate store to IPA, see
http://www.freeipa.org/page/V4/CA_certificate_renewal. Currently it
supports only CA certificates, but can be extended to support end entity
certificates rather easily. If you use it for the vault transport
certificate, it can be added to the client NSS database automatically on
install.

Honza



I'm attaching a new patch that's identical to the previous one with
ticket URL updated. I'm thinking we should check this patch in first
because it's already done, and then investigate the use of CA cert
management utility as a separate enhancement since the it seems to need
to be generalized before it can be used to manage KRA transport cert.
I'll also need to investigate the KRA transport cert replacement process
to make sure it can be accommodated via IPA's cert management utility.


Revised the patch to always download the transport certificate (no local 
caching). Further optimization can be done later.


--
Endi S. Dewata
From ef9af13e577343d3ff2564e81b9b6dc895a03b09 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Wed, 22 Oct 2014 10:02:25 -0400
Subject: [PATCH] Added command to retrieve vault transport certificate.

A new command has been added to retrieve the vault transport
certificate and optionally save it into a file. The vault archive
and retrieve command has been modified to retrieve the transport
certificate and store it locally for subsequent usage. This way
it's no longer necessary to manually import the transport
certificate into the client's NSS database.

https://fedorahosted.org/freeipa/ticket/3872
---
 API.txt |  5 
 VERSION |  4 +--
 ipalib/plugins/vault.py | 80 +++--
 3 files changed, 84 insertions(+), 5 deletions(-)

diff --git a/API.txt b/API.txt
index 
ee33af74eb2870fcdf1ab7e6781797b348243a8f..7668e8ceebb1a2b6e6ebcd6d70c9209f5a874627
 100644
--- a/API.txt
+++ b/API.txt
@@ -4633,6 +4633,11 @@ option: Str('version?', exclude='webui')
 output: Entry('result', type 'dict', Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: PrimaryKey('value', None, None)
+command: vault_transport_cert
+args: 0,2,1
+option: Str('out?', cli_name='out')
+option: Str('version?', exclude='webui')
+output: Output('result', None, None)
 command: vaultcontainer_add
 args: 1,9,3
 arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, required=True)
diff --git a/VERSION b/VERSION
index 
c471ed80af6a2c26be7fc89281ae60fac6c68577..d0ada131b700e93faa8c4946b811db36d76341a9
 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=110
-# Last change: edewata - added vault access control
+IPA_API_VERSION_MINOR=111
+# Last change: edewata - added vault transport certificate
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 
20948b267e2c585bd59e801d02f9e0b752399609..00a7a3471d79eee741a1986224c3ad534ec5ff3d
 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -24,6 +24,8 @@ import shutil
 import string
 import tempfile
 
+import nss.nss as nss
+
 import pki
 import pki.account
 import pki.crypto
@@ -109,7 +111,6 @@ EXAMPLES:
 )
 
 register = Registry()
-transport_cert_nickname = KRA Transport Certificate
 
 @register()
 class vaultcontainer(LDAPObject):
@@ -693,6 +694,63 @@ class vault_show(LDAPRetrieve):
 
 
 @register()
+class vault_transport_cert(Command):
+__doc__ = _('Retrieve vault transport certificate.')
+
+
+# list of attributes we want exported to JSON
+json_friendly_attributes = (
+'takes_args',
+)
+
+takes_options = (
+Str('out?',
+cli_name='out',
+doc=_('Output file to store the transport certificate'),
+),
+)
+
+has_output_params = (
+Str('certificate',
+label=_('Certificate'),
+),
+)
+
+def __json__(self):
+json_dict = dict(
+(a, getattr(self, a)) for a in self.json_friendly_attributes
+)
+

[Freeipa-devel] [PATCH] 357 Added symmetric and asymmetric vaults.

[Endi Sukma Dewata]

The IPA vault has been modified to support symmetric and asymmetric
vaults to allow client to pre-encrypt the data. Due to the status
of the crypto library the actual encryption will be added separately
later.

New LDAP attribute types have been added to store vault type, salt
and public key.

https://fedorahosted.org/freeipa/ticket/3872

--
Endi S. Dewata
From 062d86c4bf4f58eadb863cbcd01bd39ef30691d8 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Fri, 24 Oct 2014 19:53:16 -0400
Subject: [PATCH] Added symmetric and asymmetric vaults.

The IPA vault has been modified to support symmetric and asymmetric
vaults to allow client to pre-encrypt the data. Due to the status
of the crypto library the actual encryption will be added separately
later.

New LDAP attribute types have been added to store vault type, salt
and public key.

https://fedorahosted.org/freeipa/ticket/3872
---
 API.txt |  27 +++-
 VERSION |   4 +-
 install/share/60basev4.ldif |   7 +-
 ipalib/plugins/vault.py | 332 +++-
 4 files changed, 358 insertions(+), 12 deletions(-)

diff --git a/API.txt b/API.txt
index 
7668e8ceebb1a2b6e6ebcd6d70c9209f5a874627..7c4a87dcab4a523977cc63341801120816088db1
 100644
--- a/API.txt
+++ b/API.txt
@@ -4476,14 +4476,20 @@ output: Output('result', type 'bool', None)
 output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: PrimaryKey('value', None, None)
 command: vault_add
-args: 1,11,3
+args: 1,17,3
 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Bytes('data?', cli_name='data')
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, 
required=False)
 option: Str('in?', cli_name='in')
+option: Bytes('ipavaultpublickey', attribute=True, cli_name='public_key', 
multivalue=False, required=False)
+option: Bytes('ipavaultsalt', attribute=True, cli_name='salt', 
multivalue=False, required=False)
+option: Str('ipavaulttype', attribute=True, autofill=True, cli_name='type', 
default=u'standard', multivalue=False, required=False)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Str('parent', attribute=False, cli_name='parent', multivalue=False, 
required=False)
+option: Str('password?', cli_name='password')
+option: Str('password_file?', cli_name='password_file')
+option: Str('public_key_file?', cli_name='public_key_file')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
 option: Flag('rights', autofill=True, default=False)
 option: Str('text?', cli_name='text')
@@ -4519,7 +4525,7 @@ output: Output('completed', type 'int', None)
 output: Output('failed', type 'dict', None)
 output: Entry('result', type 'dict', Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
 command: vault_archive
-args: 1,12,3
+args: 1,14,3
 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Bytes('data?', cli_name='data')
@@ -4528,6 +4534,8 @@ option: Str('in?', cli_name='in')
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Bytes('nonce?', cli_name='nonce')
 option: Str('parent?', cli_name='parent')
+option: Str('password?', cli_name='password')
+option: Str('password_file?', cli_name='password_file')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
 option: Flag('rights', autofill=True, default=False)
 option: Str('text?', cli_name='text')
@@ -4546,11 +4554,14 @@ output: Output('result', type 'dict', None)
 output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: ListOfPrimaryKeys('value', None, None)
 command: vault_find
-args: 1,11,4
+args: 1,14,4
 arg: Str('criteria?', noextrawhitespace=False)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Str('cn', attribute=True, autofill=False, cli_name='vault_name', 
maxlength=255, multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, query=True, required=False)
 option: Str('description', attribute=True, autofill=False, cli_name='desc', 
multivalue=False, query=True, required=False)
+option: Bytes('ipavaultpublickey', attribute=True, autofill=False, 
cli_name='public_key', multivalue=False, query=True, required=False)
+option: Bytes('ipavaultsalt', attribute=True, autofill=False, cli_name='salt', 
multivalue=False, query=True, required=False)
+option: Str('ipavaulttype', attribute=True, autofill=False,