[Freeipa-devel] [PATCH 0304] specfile: Add pki-kra to build requirements
Hi, Fixes the python lint errors at build time. Tomas From 90857b35e211f1005aefd72301899e4bb53321b6 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Mon, 23 Feb 2015 11:59:51 +0100 Subject: [PATCH] specfile: Add pki-kra to build requirements Fixes the python lint errors at build time. --- freeipa.spec.in | 1 + 1 file changed, 1 insertion(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index b186d9fdff31118ea4d929f024f4dc16a75b1d0b..f43bfaa4141b201e6fc7f8b4d0c689ac1d620a1d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -92,6 +92,7 @@ BuildRequires: softhsm-devel = 2.0.0b1-3 BuildRequires: openssl-devel BuildRequires: p11-kit-devel BuildRequires: pki-base = 10.2.1-0.1 +BuildRequires: pki-kra = 10.2.1-0.1 BuildRequires: python-pytest-multihost = 0.5 BuildRequires: python-pytest-sourceorder -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0304] specfile: Add pki-kra to build requirements
Discard, does not fix the problem. Still investigating. On 02/23/2015 12:02 PM, Tomas Babej wrote: Hi, Fixes the python lint errors at build time. Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH} Remove unneded imports
On 02/23/2015 04:22 PM, Nathaniel McCallum wrote: On Fri, 2015-02-20 at 09:35 -0500, Simo Sorce wrote: We do not use openssl/des.h anymore, stop checking and importing it. ACK Pushed to: master: 8b199b813d8c9e59b514311a0c1fc16eb935ecb9 ipa-4-1: 840903c4970f934a8cab412ca203cb338ecac6ae Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix license exception
On 02/23/2015 04:21 PM, Nathaniel McCallum wrote: On Fri, 2015-02-20 at 14:55 -0500, Simo Sorce wrote: On Fri, 2015-02-20 at 10:41 -0500, Stephen Gallagher wrote: On Fri, 2015-02-20 at 09:34 -0500, Simo Sorce wrote: During internal conversations it occurred to me we link to OpenSSL but never provided the proper exception for downstreams. Attached patch fixes the problem. Simo. +this exception statement from your version.i If you delete the exception Small typo there version.i Fixed typo. ACK Pushed to: master: d762f61d25508c1856c0fa7dc0ea1e032671542b ipa-4-1: ecbef04692dd3833a985b96d8d849a651c9b3055 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Fix license exception
On Fri, 2015-02-20 at 14:55 -0500, Simo Sorce wrote: On Fri, 2015-02-20 at 10:41 -0500, Stephen Gallagher wrote: On Fri, 2015-02-20 at 09:34 -0500, Simo Sorce wrote: During internal conversations it occurred to me we link to OpenSSL but never provided the proper exception for downstreams. Attached patch fixes the problem. Simo. +this exception statement from your version.i If you delete the exception Small typo there version.i Fixed typo. ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH} Remove unneded imports
On Fri, 2015-02-20 at 09:35 -0500, Simo Sorce wrote: We do not use openssl/des.h anymore, stop checking and importing it. ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0305] idviews: Use case-insensitive detection of Default Trust View
On Mon, 23 Feb 2015, Tomas Babej wrote:
Hi,
The usage of lowercased varsion of 'Default Trust View' can no
longer be used to bypass the validation.
https://fedorahosted.org/freeipa/ticket/4915
I'm fine with the direction of the fix but please make a constant string
and compare with it.
Tomas
From 549bb9a93c07ecf7ffdb913c094700129828017d Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 23 Feb 2015 16:16:01 +0100
Subject: [PATCH] idviews: Use case-insensitive detection of Default Trust View
The usage of lowercased varsion of 'Default Trust View' can no
longer be used to bypass the validation.
https://fedorahosted.org/freeipa/ticket/4915
---
ipalib/plugins/idviews.py | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index
df403b1193fe18dfadf437a18a3e0b6ffb7575b4..f59dd06e8afc1da7efce321efaa94523ed8a3e53
100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -106,8 +106,9 @@ class idview_del(LDAPDelete):
msg_summary = _('Deleted ID View %(value)s')
def pre_callback(self, ldap, dn, *keys, **options):
-if Default Trust View in keys:
-raise protected_default_trust_view_error
+for key in keys:
+if key.lower() == default trust view:
+raise protected_default_trust_view_error
return dn
@@ -118,8 +119,9 @@ class idview_mod(LDAPUpdate):
msg_summary = _('Modified an ID View %(value)s')
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
-if Default Trust View in keys:
-raise protected_default_trust_view_error
+for key in keys:
+if key.lower() == default trust view:
+raise protected_default_trust_view_error
return dn
@@ -240,7 +242,7 @@ class baseidview_apply(LDAPQuery):
# the ipaAssignedIDView to None
view_dn = None
-if view == 'Default Trust View':
+if view.lower() == 'default trust view':
raise errors.ValidationError(
name=_('ID View'),
error=_('Default Trust View cannot be applied on hosts')
@@ -584,7 +586,7 @@ class baseidoverride(LDAPObject):
# Check if parent object is Default Trust View, if so, prohibit
# adding overrides for IPA objects
-if dn[1].value == 'Default Trust View':
+if dn[1].value.lower() == 'default trust view':
if dn[0].value.startswith(IPA_ANCHOR_PREFIX):
raise errors.ValidationError(
name=_('ID View'),
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
--
/ Alexander Bokovoy
pgpIzBikRZXs9.pgp
Description: PGP signature
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0305] idviews: Use case-insensitive detection of Default Trust View
On 02/23/2015 05:08 PM, Alexander Bokovoy wrote:
On Mon, 23 Feb 2015, Tomas Babej wrote:
Hi,
The usage of lowercased varsion of 'Default Trust View' can no
longer be used to bypass the validation.
https://fedorahosted.org/freeipa/ticket/4915
I'm fine with the direction of the fix but please make a constant string
and compare with it.
Sure thing, you are absolutely right.
Updated patch attached.
Tomas
From 549bb9a93c07ecf7ffdb913c094700129828017d Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 23 Feb 2015 16:16:01 +0100
Subject: [PATCH] idviews: Use case-insensitive detection of Default
Trust View
The usage of lowercased varsion of 'Default Trust View' can no
longer be used to bypass the validation.
https://fedorahosted.org/freeipa/ticket/4915
---
ipalib/plugins/idviews.py | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index
df403b1193fe18dfadf437a18a3e0b6ffb7575b4..f59dd06e8afc1da7efce321efaa94523ed8a3e53
100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -106,8 +106,9 @@ class idview_del(LDAPDelete):
msg_summary = _('Deleted ID View %(value)s')
def pre_callback(self, ldap, dn, *keys, **options):
-if Default Trust View in keys:
-raise protected_default_trust_view_error
+for key in keys:
+if key.lower() == default trust view:
+raise protected_default_trust_view_error
return dn
@@ -118,8 +119,9 @@ class idview_mod(LDAPUpdate):
msg_summary = _('Modified an ID View %(value)s')
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
**options):
-if Default Trust View in keys:
-raise protected_default_trust_view_error
+for key in keys:
+if key.lower() == default trust view:
+raise protected_default_trust_view_error
return dn
@@ -240,7 +242,7 @@ class baseidview_apply(LDAPQuery):
# the ipaAssignedIDView to None
view_dn = None
-if view == 'Default Trust View':
+if view.lower() == 'default trust view':
raise errors.ValidationError(
name=_('ID View'),
error=_('Default Trust View cannot be applied on hosts')
@@ -584,7 +586,7 @@ class baseidoverride(LDAPObject):
# Check if parent object is Default Trust View, if so, prohibit
# adding overrides for IPA objects
-if dn[1].value == 'Default Trust View':
+if dn[1].value.lower() == 'default trust view':
if dn[0].value.startswith(IPA_ANCHOR_PREFIX):
raise errors.ValidationError(
name=_('ID View'),
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
From 77c4889f183662f545920af2a283d9d233f95a8d Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 23 Feb 2015 16:16:01 +0100
Subject: [PATCH] idviews: Use case-insensitive detection of Default Trust View
The usage of lowercased varsion of 'Default Trust View' can no
longer be used to bypass the validation.
https://fedorahosted.org/freeipa/ticket/4915
---
ipalib/plugins/idviews.py | 15 +--
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index df403b1193fe18dfadf437a18a3e0b6ffb7575b4..57f0cce1549edb4e582df225f7831916d96c216b 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -53,6 +53,7 @@ protected_default_trust_view_error = errors.ProtectedEntryError(
reason=_('system ID View')
)
+DEFAULT_TRUST_VIEW_NAME = default trust view
@register()
class idview(LDAPObject):
@@ -106,8 +107,9 @@ class idview_del(LDAPDelete):
msg_summary = _('Deleted ID View %(value)s')
def pre_callback(self, ldap, dn, *keys, **options):
-if Default Trust View in keys:
-raise protected_default_trust_view_error
+for key in keys:
+if key.lower() == DEFAULT_TRUST_VIEW_NAME:
+raise protected_default_trust_view_error
return dn
@@ -118,8 +120,9 @@ class idview_mod(LDAPUpdate):
msg_summary = _('Modified an ID View %(value)s')
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
-if Default Trust View in keys:
-raise protected_default_trust_view_error
+for key in keys:
+if key.lower() == DEFAULT_TRUST_VIEW_NAME:
+raise protected_default_trust_view_error
return dn
@@ -240,7 +243,7 @@ class baseidview_apply(LDAPQuery):
# the ipaAssignedIDView to None
view_dn = None
-if view == 'Default Trust View':
+if view.lower() == DEFAULT_TRUST_VIEW_NAME:
raise errors.ValidationError(
name=_('ID
Re: [Freeipa-devel] [PATCH 0305] idviews: Use case-insensitive detection of Default Trust View
On Mon, 23 Feb 2015, Tomas Babej wrote: On 02/23/2015 05:08 PM, Alexander Bokovoy wrote: On Mon, 23 Feb 2015, Tomas Babej wrote: Hi, The usage of lowercased varsion of 'Default Trust View' can no longer be used to bypass the validation. https://fedorahosted.org/freeipa/ticket/4915 I'm fine with the direction of the fix but please make a constant string and compare with it. Sure thing, you are absolutely right. Updated patch attached. ACK. -- / Alexander Bokovoy pgpHd7AGu2bLC.pgp Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] One-way trust design
Hi!
I've added a design page for one-way trust to
www.freeipa.org/page/V4/One-way_trust
Below is the page content for easy discussion:
{{Feature|version=4.2.0|ticket=4546|author=Ab}}
= Overview =
Active Directory implementation of a trust between domains and forests
uses credentials of a trust domain object (TDO) to communicate across
the trust boundary. This is made possible on AD side because whole
domain controller implementation is seen as a monolith that doesn't pass
around the credentials for the trust domain object. This is purely
implementation detail though important one.
In early stages of a trust feature development FreeIPA also used trust
domain object to directly authenticate against Active Directory
services. However, as IPA is a combination of several loosely coupled
services, access to the trust domain object is highly guarded to prevent
unwanted elevation of privileges across the trust boundary. If FreeIPA
was to use TDO's credentials everywhere, it would mean most of
trust-related functionality would be limited to IPA admins or TDO
object in LDAP would have to be more accessible. Given that TDO
credentials can be used to compromise access to our domain, it is not
advisable to give a wider access to them.
As a side-effect of reducing exposure of TDO credentials, FreeIPA lost
ability to establish and use one-way trust to Active Directory. The
purpose of this feature is to regain the one-way trust support, yet
without giving an elevated access to TDO credentials.
= Use cases =
A primary use case is the following one:
* One-way trust to Active Directory where FreeIPA realm trusts Active
* Directory forest using cross-forest trust feature of AD but the AD
* forest does not trust FreeIPA realm. Users from AD forest can access
* resources in FreeIPA realm.
No other use cases exist at the moment.
= Design =
The one-way feature relies on an implementation of FreeIPA trust to AD
feature as released in FreeIPA v3.3. The difference between FreeIPA v3.3
and v3.0 is in the way how credentials to access information from a
trusted forest are used.
== FreeIPA v3.0 and v3.3 ==
In FreeIPA v3.0 each IPA master initialized with ipa-adtrust-install
command was running Samba suite: smbd and winbindd daemons were used to
provide both capabilities to resolve AD users from trusted forests, to
manage trust forest topology, and to respond on NETLOGON interfaces as
Active Directory Domain Controllers expect to complete the sequence of
establishing trust relationships. The rest of clients in FreeIPA were
connecting to IPA masters through SSSD by means of an extended LDAP
control to resolve AD users and groups. FreeIPA LDAP server's plugin
which implemented the extended LDAP control was, in turn, talking to
winbindd daemon to complete the resolution of AD users and groups.
Additionally, in early FreeIPA v3.0 versions a management framework
(both CLI and web UI) was using credentials of TDO to directly resolve
AD users and groups against Active Directory Domain Controllers. The
consequence of this was that only IPA admins were able to map users and
groups from trusted Active Directory forests to local groups.
The trust by AD DCs means that FreeIPA framework can utilize existing
Kerberos service ticket it has (HTTP/ipa.master@IPA.REALM) to
authenticate to AD LDAP servers. AD LDAP servers allow access to its
information only to authenticated clients but the clients can provide
any proof of authenticity allowed by Active Directory. In the case of
cross-forest trust in AD, a properly issued Kerberos ticket from a
trusted forest is enough. In order to issue such ticket, FreeIPA KDC
does generate privilege attribute certificate data (MS-PAC) as required
by Microsoft's specification
[https://msdn.microsoft.com/en-us/library/cc237917.aspx [MS-PAC]]. In
order to limit which Kerberos services are allowed to authenticate
against services in a trusting AD forest, only HTTP/ipa.master@IPA.REALM
and host/ipa.master@IPA.REALM are given the MS-PAC in their TGT tickets
where the services are presented as members of a virtual Domain
Controllers group in FreeIPA domain.
FreeIPA v3.0 management framework was switched to use
HTTP/ipa.master@IPA.REALM Kerberos ticket with attached MS-PAC
information to directly resolve AD users and groups.
In FreeIPA v3.3 each IPA master initialized with ipa-adtrust-install
command still runs Samba suite: smbd and winbindd daemons. They are used
to respond on NETLOGON interfaces as Active Directory Domain Controllers
expect them, and to manage trust forest topology. However, users and
groups from trusted Active Directory forests are now resolved by SSSD
running on the IPA masters. SSSD has gained a so-called IPA server
mode which means the requests to resolve AD users and groups will go
directly to Active Directory Domain Controllers. The rest of clients in
FreeIPA are connecting to IPA masters through SSSD by
[Freeipa-devel] [PATCH 0305] idviews: Use case-insensitive detection of Default Trust View
Hi,
The usage of lowercased varsion of 'Default Trust View' can no
longer be used to bypass the validation.
https://fedorahosted.org/freeipa/ticket/4915
Tomas
From 549bb9a93c07ecf7ffdb913c094700129828017d Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 23 Feb 2015 16:16:01 +0100
Subject: [PATCH] idviews: Use case-insensitive detection of Default Trust View
The usage of lowercased varsion of 'Default Trust View' can no
longer be used to bypass the validation.
https://fedorahosted.org/freeipa/ticket/4915
---
ipalib/plugins/idviews.py | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index df403b1193fe18dfadf437a18a3e0b6ffb7575b4..f59dd06e8afc1da7efce321efaa94523ed8a3e53 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -106,8 +106,9 @@ class idview_del(LDAPDelete):
msg_summary = _('Deleted ID View %(value)s')
def pre_callback(self, ldap, dn, *keys, **options):
-if Default Trust View in keys:
-raise protected_default_trust_view_error
+for key in keys:
+if key.lower() == default trust view:
+raise protected_default_trust_view_error
return dn
@@ -118,8 +119,9 @@ class idview_mod(LDAPUpdate):
msg_summary = _('Modified an ID View %(value)s')
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
-if Default Trust View in keys:
-raise protected_default_trust_view_error
+for key in keys:
+if key.lower() == default trust view:
+raise protected_default_trust_view_error
return dn
@@ -240,7 +242,7 @@ class baseidview_apply(LDAPQuery):
# the ipaAssignedIDView to None
view_dn = None
-if view == 'Default Trust View':
+if view.lower() == 'default trust view':
raise errors.ValidationError(
name=_('ID View'),
error=_('Default Trust View cannot be applied on hosts')
@@ -584,7 +586,7 @@ class baseidoverride(LDAPObject):
# Check if parent object is Default Trust View, if so, prohibit
# adding overrides for IPA objects
-if dn[1].value == 'Default Trust View':
+if dn[1].value.lower() == 'default trust view':
if dn[0].value.startswith(IPA_ANCHOR_PREFIX):
raise errors.ValidationError(
name=_('ID View'),
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
