[Freeipa-devel] [PATCH 0304] specfile: Add pki-kra to build requirements
Hi, Fixes the python lint errors at build time. Tomas From 90857b35e211f1005aefd72301899e4bb53321b6 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Mon, 23 Feb 2015 11:59:51 +0100 Subject: [PATCH] specfile: Add pki-kra to build requirements Fixes the python lint errors at build time. --- freeipa.spec.in | 1 + 1 file changed, 1 insertion(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index b186d9fdff31118ea4d929f024f4dc16a75b1d0b..f43bfaa4141b201e6fc7f8b4d0c689ac1d620a1d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -92,6 +92,7 @@ BuildRequires: softhsm-devel = 2.0.0b1-3 BuildRequires: openssl-devel BuildRequires: p11-kit-devel BuildRequires: pki-base = 10.2.1-0.1 +BuildRequires: pki-kra = 10.2.1-0.1 BuildRequires: python-pytest-multihost = 0.5 BuildRequires: python-pytest-sourceorder -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0304] specfile: Add pki-kra to build requirements
Discard, does not fix the problem. Still investigating. On 02/23/2015 12:02 PM, Tomas Babej wrote: Hi, Fixes the python lint errors at build time. Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH} Remove unneded imports
On 02/23/2015 04:22 PM, Nathaniel McCallum wrote: On Fri, 2015-02-20 at 09:35 -0500, Simo Sorce wrote: We do not use openssl/des.h anymore, stop checking and importing it. ACK Pushed to: master: 8b199b813d8c9e59b514311a0c1fc16eb935ecb9 ipa-4-1: 840903c4970f934a8cab412ca203cb338ecac6ae Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix license exception
On 02/23/2015 04:21 PM, Nathaniel McCallum wrote: On Fri, 2015-02-20 at 14:55 -0500, Simo Sorce wrote: On Fri, 2015-02-20 at 10:41 -0500, Stephen Gallagher wrote: On Fri, 2015-02-20 at 09:34 -0500, Simo Sorce wrote: During internal conversations it occurred to me we link to OpenSSL but never provided the proper exception for downstreams. Attached patch fixes the problem. Simo. +this exception statement from your version.i If you delete the exception Small typo there version.i Fixed typo. ACK Pushed to: master: d762f61d25508c1856c0fa7dc0ea1e032671542b ipa-4-1: ecbef04692dd3833a985b96d8d849a651c9b3055 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix license exception
On Fri, 2015-02-20 at 14:55 -0500, Simo Sorce wrote: On Fri, 2015-02-20 at 10:41 -0500, Stephen Gallagher wrote: On Fri, 2015-02-20 at 09:34 -0500, Simo Sorce wrote: During internal conversations it occurred to me we link to OpenSSL but never provided the proper exception for downstreams. Attached patch fixes the problem. Simo. +this exception statement from your version.i If you delete the exception Small typo there version.i Fixed typo. ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH} Remove unneded imports
On Fri, 2015-02-20 at 09:35 -0500, Simo Sorce wrote: We do not use openssl/des.h anymore, stop checking and importing it. ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0305] idviews: Use case-insensitive detection of Default Trust View
On Mon, 23 Feb 2015, Tomas Babej wrote: Hi, The usage of lowercased varsion of 'Default Trust View' can no longer be used to bypass the validation. https://fedorahosted.org/freeipa/ticket/4915 I'm fine with the direction of the fix but please make a constant string and compare with it. Tomas From 549bb9a93c07ecf7ffdb913c094700129828017d Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Mon, 23 Feb 2015 16:16:01 +0100 Subject: [PATCH] idviews: Use case-insensitive detection of Default Trust View The usage of lowercased varsion of 'Default Trust View' can no longer be used to bypass the validation. https://fedorahosted.org/freeipa/ticket/4915 --- ipalib/plugins/idviews.py | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index df403b1193fe18dfadf437a18a3e0b6ffb7575b4..f59dd06e8afc1da7efce321efaa94523ed8a3e53 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -106,8 +106,9 @@ class idview_del(LDAPDelete): msg_summary = _('Deleted ID View %(value)s') def pre_callback(self, ldap, dn, *keys, **options): -if Default Trust View in keys: -raise protected_default_trust_view_error +for key in keys: +if key.lower() == default trust view: +raise protected_default_trust_view_error return dn @@ -118,8 +119,9 @@ class idview_mod(LDAPUpdate): msg_summary = _('Modified an ID View %(value)s') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): -if Default Trust View in keys: -raise protected_default_trust_view_error +for key in keys: +if key.lower() == default trust view: +raise protected_default_trust_view_error return dn @@ -240,7 +242,7 @@ class baseidview_apply(LDAPQuery): # the ipaAssignedIDView to None view_dn = None -if view == 'Default Trust View': +if view.lower() == 'default trust view': raise errors.ValidationError( name=_('ID View'), error=_('Default Trust View cannot be applied on hosts') @@ -584,7 +586,7 @@ class baseidoverride(LDAPObject): # Check if parent object is Default Trust View, if so, prohibit # adding overrides for IPA objects -if dn[1].value == 'Default Trust View': +if dn[1].value.lower() == 'default trust view': if dn[0].value.startswith(IPA_ANCHOR_PREFIX): raise errors.ValidationError( name=_('ID View'), -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- / Alexander Bokovoy pgpIzBikRZXs9.pgp Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0305] idviews: Use case-insensitive detection of Default Trust View
On 02/23/2015 05:08 PM, Alexander Bokovoy wrote: On Mon, 23 Feb 2015, Tomas Babej wrote: Hi, The usage of lowercased varsion of 'Default Trust View' can no longer be used to bypass the validation. https://fedorahosted.org/freeipa/ticket/4915 I'm fine with the direction of the fix but please make a constant string and compare with it. Sure thing, you are absolutely right. Updated patch attached. Tomas From 549bb9a93c07ecf7ffdb913c094700129828017d Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Mon, 23 Feb 2015 16:16:01 +0100 Subject: [PATCH] idviews: Use case-insensitive detection of Default Trust View The usage of lowercased varsion of 'Default Trust View' can no longer be used to bypass the validation. https://fedorahosted.org/freeipa/ticket/4915 --- ipalib/plugins/idviews.py | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index df403b1193fe18dfadf437a18a3e0b6ffb7575b4..f59dd06e8afc1da7efce321efaa94523ed8a3e53 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -106,8 +106,9 @@ class idview_del(LDAPDelete): msg_summary = _('Deleted ID View %(value)s') def pre_callback(self, ldap, dn, *keys, **options): -if Default Trust View in keys: -raise protected_default_trust_view_error +for key in keys: +if key.lower() == default trust view: +raise protected_default_trust_view_error return dn @@ -118,8 +119,9 @@ class idview_mod(LDAPUpdate): msg_summary = _('Modified an ID View %(value)s') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): -if Default Trust View in keys: -raise protected_default_trust_view_error +for key in keys: +if key.lower() == default trust view: +raise protected_default_trust_view_error return dn @@ -240,7 +242,7 @@ class baseidview_apply(LDAPQuery): # the ipaAssignedIDView to None view_dn = None -if view == 'Default Trust View': +if view.lower() == 'default trust view': raise errors.ValidationError( name=_('ID View'), error=_('Default Trust View cannot be applied on hosts') @@ -584,7 +586,7 @@ class baseidoverride(LDAPObject): # Check if parent object is Default Trust View, if so, prohibit # adding overrides for IPA objects -if dn[1].value == 'Default Trust View': +if dn[1].value.lower() == 'default trust view': if dn[0].value.startswith(IPA_ANCHOR_PREFIX): raise errors.ValidationError( name=_('ID View'), -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel From 77c4889f183662f545920af2a283d9d233f95a8d Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Mon, 23 Feb 2015 16:16:01 +0100 Subject: [PATCH] idviews: Use case-insensitive detection of Default Trust View The usage of lowercased varsion of 'Default Trust View' can no longer be used to bypass the validation. https://fedorahosted.org/freeipa/ticket/4915 --- ipalib/plugins/idviews.py | 15 +-- 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index df403b1193fe18dfadf437a18a3e0b6ffb7575b4..57f0cce1549edb4e582df225f7831916d96c216b 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -53,6 +53,7 @@ protected_default_trust_view_error = errors.ProtectedEntryError( reason=_('system ID View') ) +DEFAULT_TRUST_VIEW_NAME = default trust view @register() class idview(LDAPObject): @@ -106,8 +107,9 @@ class idview_del(LDAPDelete): msg_summary = _('Deleted ID View %(value)s') def pre_callback(self, ldap, dn, *keys, **options): -if Default Trust View in keys: -raise protected_default_trust_view_error +for key in keys: +if key.lower() == DEFAULT_TRUST_VIEW_NAME: +raise protected_default_trust_view_error return dn @@ -118,8 +120,9 @@ class idview_mod(LDAPUpdate): msg_summary = _('Modified an ID View %(value)s') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): -if Default Trust View in keys: -raise protected_default_trust_view_error +for key in keys: +if key.lower() == DEFAULT_TRUST_VIEW_NAME: +raise protected_default_trust_view_error return dn @@ -240,7 +243,7 @@ class baseidview_apply(LDAPQuery): # the ipaAssignedIDView to None view_dn = None -if view == 'Default Trust View': +if view.lower() == DEFAULT_TRUST_VIEW_NAME: raise errors.ValidationError( name=_('ID
Re: [Freeipa-devel] [PATCH 0305] idviews: Use case-insensitive detection of Default Trust View
On Mon, 23 Feb 2015, Tomas Babej wrote: On 02/23/2015 05:08 PM, Alexander Bokovoy wrote: On Mon, 23 Feb 2015, Tomas Babej wrote: Hi, The usage of lowercased varsion of 'Default Trust View' can no longer be used to bypass the validation. https://fedorahosted.org/freeipa/ticket/4915 I'm fine with the direction of the fix but please make a constant string and compare with it. Sure thing, you are absolutely right. Updated patch attached. ACK. -- / Alexander Bokovoy pgpHd7AGu2bLC.pgp Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] One-way trust design
Hi! I've added a design page for one-way trust to www.freeipa.org/page/V4/One-way_trust Below is the page content for easy discussion: {{Feature|version=4.2.0|ticket=4546|author=Ab}} = Overview = Active Directory implementation of a trust between domains and forests uses credentials of a trust domain object (TDO) to communicate across the trust boundary. This is made possible on AD side because whole domain controller implementation is seen as a monolith that doesn't pass around the credentials for the trust domain object. This is purely implementation detail though important one. In early stages of a trust feature development FreeIPA also used trust domain object to directly authenticate against Active Directory services. However, as IPA is a combination of several loosely coupled services, access to the trust domain object is highly guarded to prevent unwanted elevation of privileges across the trust boundary. If FreeIPA was to use TDO's credentials everywhere, it would mean most of trust-related functionality would be limited to IPA admins or TDO object in LDAP would have to be more accessible. Given that TDO credentials can be used to compromise access to our domain, it is not advisable to give a wider access to them. As a side-effect of reducing exposure of TDO credentials, FreeIPA lost ability to establish and use one-way trust to Active Directory. The purpose of this feature is to regain the one-way trust support, yet without giving an elevated access to TDO credentials. = Use cases = A primary use case is the following one: * One-way trust to Active Directory where FreeIPA realm trusts Active * Directory forest using cross-forest trust feature of AD but the AD * forest does not trust FreeIPA realm. Users from AD forest can access * resources in FreeIPA realm. No other use cases exist at the moment. = Design = The one-way feature relies on an implementation of FreeIPA trust to AD feature as released in FreeIPA v3.3. The difference between FreeIPA v3.3 and v3.0 is in the way how credentials to access information from a trusted forest are used. == FreeIPA v3.0 and v3.3 == In FreeIPA v3.0 each IPA master initialized with ipa-adtrust-install command was running Samba suite: smbd and winbindd daemons were used to provide both capabilities to resolve AD users from trusted forests, to manage trust forest topology, and to respond on NETLOGON interfaces as Active Directory Domain Controllers expect to complete the sequence of establishing trust relationships. The rest of clients in FreeIPA were connecting to IPA masters through SSSD by means of an extended LDAP control to resolve AD users and groups. FreeIPA LDAP server's plugin which implemented the extended LDAP control was, in turn, talking to winbindd daemon to complete the resolution of AD users and groups. Additionally, in early FreeIPA v3.0 versions a management framework (both CLI and web UI) was using credentials of TDO to directly resolve AD users and groups against Active Directory Domain Controllers. The consequence of this was that only IPA admins were able to map users and groups from trusted Active Directory forests to local groups. The trust by AD DCs means that FreeIPA framework can utilize existing Kerberos service ticket it has (HTTP/ipa.master@IPA.REALM) to authenticate to AD LDAP servers. AD LDAP servers allow access to its information only to authenticated clients but the clients can provide any proof of authenticity allowed by Active Directory. In the case of cross-forest trust in AD, a properly issued Kerberos ticket from a trusted forest is enough. In order to issue such ticket, FreeIPA KDC does generate privilege attribute certificate data (MS-PAC) as required by Microsoft's specification [https://msdn.microsoft.com/en-us/library/cc237917.aspx [MS-PAC]]. In order to limit which Kerberos services are allowed to authenticate against services in a trusting AD forest, only HTTP/ipa.master@IPA.REALM and host/ipa.master@IPA.REALM are given the MS-PAC in their TGT tickets where the services are presented as members of a virtual Domain Controllers group in FreeIPA domain. FreeIPA v3.0 management framework was switched to use HTTP/ipa.master@IPA.REALM Kerberos ticket with attached MS-PAC information to directly resolve AD users and groups. In FreeIPA v3.3 each IPA master initialized with ipa-adtrust-install command still runs Samba suite: smbd and winbindd daemons. They are used to respond on NETLOGON interfaces as Active Directory Domain Controllers expect them, and to manage trust forest topology. However, users and groups from trusted Active Directory forests are now resolved by SSSD running on the IPA masters. SSSD has gained a so-called IPA server mode which means the requests to resolve AD users and groups will go directly to Active Directory Domain Controllers. The rest of clients in FreeIPA are connecting to IPA masters through SSSD by
[Freeipa-devel] [PATCH 0305] idviews: Use case-insensitive detection of Default Trust View
Hi, The usage of lowercased varsion of 'Default Trust View' can no longer be used to bypass the validation. https://fedorahosted.org/freeipa/ticket/4915 Tomas From 549bb9a93c07ecf7ffdb913c094700129828017d Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Mon, 23 Feb 2015 16:16:01 +0100 Subject: [PATCH] idviews: Use case-insensitive detection of Default Trust View The usage of lowercased varsion of 'Default Trust View' can no longer be used to bypass the validation. https://fedorahosted.org/freeipa/ticket/4915 --- ipalib/plugins/idviews.py | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index df403b1193fe18dfadf437a18a3e0b6ffb7575b4..f59dd06e8afc1da7efce321efaa94523ed8a3e53 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -106,8 +106,9 @@ class idview_del(LDAPDelete): msg_summary = _('Deleted ID View %(value)s') def pre_callback(self, ldap, dn, *keys, **options): -if Default Trust View in keys: -raise protected_default_trust_view_error +for key in keys: +if key.lower() == default trust view: +raise protected_default_trust_view_error return dn @@ -118,8 +119,9 @@ class idview_mod(LDAPUpdate): msg_summary = _('Modified an ID View %(value)s') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): -if Default Trust View in keys: -raise protected_default_trust_view_error +for key in keys: +if key.lower() == default trust view: +raise protected_default_trust_view_error return dn @@ -240,7 +242,7 @@ class baseidview_apply(LDAPQuery): # the ipaAssignedIDView to None view_dn = None -if view == 'Default Trust View': +if view.lower() == 'default trust view': raise errors.ValidationError( name=_('ID View'), error=_('Default Trust View cannot be applied on hosts') @@ -584,7 +586,7 @@ class baseidoverride(LDAPObject): # Check if parent object is Default Trust View, if so, prohibit # adding overrides for IPA objects -if dn[1].value == 'Default Trust View': +if dn[1].value.lower() == 'default trust view': if dn[0].value.startswith(IPA_ANCHOR_PREFIX): raise errors.ValidationError( name=_('ID View'), -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel