[Freeipa-devel] [PATCHES 0001-0007] Profile management
Please find attached latest patches including new patches: - 0006 enable LDAP-based profiles in Dogtag on upgrade - 0007 import included profiles during install or upgrade There is one TODO in the patches where some more code is needed on Dogtag side, and another TODO (not in patches) to migrate caIPAserviceCert profile to DefaultService profile and switch to using DefaultService for cerificate issuance (as the default profile). Jan and Martin, further comments to earlier reviews inline. Cheers, Fraser On Wed, May 13, 2015 at 10:39:55AM +0200, Jan Cholasta wrote: Dne 13.5.2015 v 10:36 Martin Basti napsal(a): On 13/05/15 10:06, Jan Cholasta wrote: Hi, Dne 5.5.2015 v 10:38 Martin Basti napsal(a): On 05/05/15 08:29, Fraser Tweedale wrote: On Mon, May 04, 2015 at 06:35:45PM +0200, Martin Basti wrote: On 04/05/15 15:36, Fraser Tweedale wrote: Hello, Please review the first cut of the 'certprofile' command and other changes associated with the Certificate Profiles feature[1]. Custom profiles can't be used yet because 'cert-request' has not been updated, but you can manage the profiles (find, show, import, modify, delete). There's a bit more work to do on profile management and a lot more to do for using profiles and sub-CAs. I am tracking my progress on etherpad[2] so if you are reviewing check there for the TODO list and some commentary. If you want to test: for f21, please use Dogtag from my copr[2]. For f22 the required version is in updates-testing (or my copr). In summary: this is not the whole feature, just the first functional part. Since it is my first experience developing in the IPA framework I want to get patches out so you can point out all the things I did wrong or overlooked, and I can fix them. Don't hold back :) [1] http://www.freeipa.org/page/V4/Certificate_Profiles [2] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress [3] http://copr.fedoraproject.org/coprs/ftweedal/freeipa/ Thank you for patches, I have no idea what kind of dogtag magic is happening there, but I have a few comments related to IPA: Thanks for reviewing, Martin. Comments inline. You are welcome, comments inline. Martin^2 Upgrade: 1) +config.set(CA, pki_profiles_in_ldap, True) IMO this will work only for new installations. For upgrade you may need to add this to ipa-upgradeconfig OK. 2) +dn: cn=certprofiles,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: certprofiles IMO this will work only for new installations. For upgrade you may need to add it into update file as well, with the 'default' keyword I don't understand about the 'default' keyword - can you expain this some more? In an upgrade file: dn: cn=certprofiles,cn=etc,$SUFFIX default:objectClass: nsContainer default:objectClass: top default:cn: certprofiles Maybe we should do what DNS does and have a container for CA specific stuff in the suffix: cn=ca,$SUFFIX. The container would be created only if CA is installed. Certificate profile container would then be cn=certprofiles,cn=ca,$SUFFIX. I haven't changed this for the current patchset. What are the implications / motivations for changing it. 3) Your patch 0004 will work on new installations only. You may need to add that new step into ipa-upgradeconfig. Must be that step there during installation? If not you can create just one update file, which will be applied at the end of installation and during upgrade. This change must be made to the Dogtag directory (not IPA) - can an update file be used to do that? If not, is ipa-upgradeconfig the best place to make this change? If it is change in LDAP, you can use updatefile: dn: cn=aclResources,$SUFFIX add:resourceACLS: certServer.profile.configuration:read,modify:allow (read,modify) group=Certificate Manager Agents:Certificate Manager agents may modify (create/update/delete) and read profiles Please temporarily use my patch freeipa-mbasti-231-4, (which will be pushed soon) to avoid issues with CSV Note that this update should be done only if CA is installed. In that case, you must create update plugins. I would prefer a CAInstance method called during install and in ipa-upgradeconfig. So more or less what Fraser already did, except the ipa-upgradeconfig part. Patch 0004 was updated and now has CAInstance method during install, and ipa-upgradeconfig method for upgrade. Martin^2 Other issues: 1) I do not see modifications in API.txt file 2) We use new shorter license header # # Copyright (C) 2015 FreeIPA Contributors see COPYING for license # 3) +from ipalib.plugins.baseldap import \ +LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPUpdate, LDAPRetrieve please use 'import ( modules, .. )' instead of '\' 4) +if method == 'POST' \ +and 'content-type' not in (str(k).lower() for k in headers.viewkeys()): again, please use
Re: [Freeipa-devel] [PATCH 0325] Add Domain Level feature
On 05/14/2015 11:48 AM, Jan Cholasta wrote:
Hi,
Dne 14.5.2015 v 11:00 Tomas Babej napsal(a):
Hi,
this patch implements the domain level feature.
https://fedorahosted.org/freeipa/ticket/5018
Tomas
1)
+# Create entry proclaiming Domain Level support of this master
+# This will update the supported Domain Levels during upgrade
+dn: cn=Domain Level support,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: objectClass: ipaConfigObject
+default: objectClass: ipaSupportedDomainLevelConfig
+only: ipaMinDomainLevel: $MIN_DOMAIN_LEVEL
+only: ipaMaxDomainLevel: $MAX_DOMAIN_LEVEL
The design states that supported domain levels should be stored
directly in cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX and I agree with
that - there is no reason to have this information in a separate entry.
yes, the design states that the domainlevel supported by a server should
be stored in the cn=fqdn entry,
but this is only informational, saying what level a server could handle
and the selected level used has to be set and stored and the design doc
says this has to be in:
Selected Domain level shall be stored in cn=DomainLevel,cn=etc,SUFFIX
Tomas,
I don't see the handling of the global doamin level entry
Ludwig
2) I though we agreed to call the command domainlevel-set instead of
domainlevel-raise:
https://www.redhat.com/archives/freeipa-devel/2015-May/msg00101.html.
3) Domain level is just a single integer and it should be treated as
such, there's no need for an LDAPObject plugin and other unnecessary
complexities. The implemetation could be as simple as (from top of my
head, untested):
domainlevel_output = (
output.Output('result', int)
)
@register()
class domainlevel-get(Command):
has_output = domainlevel_output
def execute(self, *args, **options):
ldap = self.api.Backend.ldap2
dn = ...
entry = ldap.get_entry(dn, ['ipaDomainLevel'])
return {'result': entry.single_value['ipaDomainLevel']}
@register()
class domainlevel-set(Command):
has_output = domainlevel_output
takes_args = (
Int('value'),
)
def execute(self, *args, **options):
ldap = self.api.Backend.ldap2
value = args[0]
... validate value ...
dn = ...
entry = ldap.get_entry(dn, ['ipaDomainLevel'])
entry.single_value['ipaDomainLevel'] = value
ldap.update_entry(entry)
return {'result': value}
Honza
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 830 webui: fix empty table border in Firefox
Firefox suffers from: https://bugzilla.mozilla.org/show_bug.cgi?id=409254
This is a workaround to fix it.
--
Petr Vobornik
From 8743615886ed3f10dddbf78bc0152f3b7fbdafa2 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Thu, 7 May 2015 10:23:11 +0200
Subject: [PATCH] webui: fix empty table border in Firefox
Firefox suffers from: https://bugzilla.mozilla.org/show_bug.cgi?id=409254
This is a workaround to fix it.
---
install/ui/less/widgets.less | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/install/ui/less/widgets.less b/install/ui/less/widgets.less
index edfa005a7231d8c57338d4d07983126612148ec9..cafd3bd96264c0c1ad86a773b8ffd7f15874575f 100644
--- a/install/ui/less/widgets.less
+++ b/install/ui/less/widgets.less
@@ -89,4 +89,7 @@
.tooltip-inner {
min-width: 200px;
max-width: 400px;
-}
\ No newline at end of file
+}
+
+// workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=409254
+tbody:empty { display: none; }
\ No newline at end of file
--
2.1.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0364] Remove unused files rdlist.c and rdlist.h
Hello,
Remove unused files rdlist.c and rdlist.h.
I noticed this cruft while preparing the previous patchset.
This patch is independent and applicable directly to master branch.
--
Petr^2 Spacek
From 274f5ea92866c50c77c59f6dabc64c3bdf162ace Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Fri, 15 May 2015 11:41:02 +0200
Subject: [PATCH] Remove unused files rdlist.c and rdlist.h.
---
src/Makefile.am | 2 -
src/ldap_driver.c | 1 -
src/ldap_helper.c | 1 -
src/rdlist.c| 261
src/rdlist.h| 46 -
src/zone_register.c | 1 -
6 files changed, 312 deletions(-)
delete mode 100644 src/rdlist.c
delete mode 100644 src/rdlist.h
diff --git a/src/Makefile.am b/src/Makefile.am
index 4cccabab285b43e9e76bd3cca0184d4d87941e8a..c5b01d796a14aa35bcf1317603e191d4cf882675 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -14,7 +14,6 @@ HDRS =\
lock.h \
log.h \
rbt_helper.h \
- rdlist.h \
semaphore.h \
settings.h \
syncrepl.h \
@@ -37,7 +36,6 @@ ldap_la_SOURCES = \
lock.c \
log.c \
rbt_helper.c \
- rdlist.c \
semaphore.c \
settings.c \
syncrepl.c \
diff --git a/src/ldap_driver.c b/src/ldap_driver.c
index 8b78c960cfb05cc0f4c0fb50e3fbdaa9cfdcae50..46729f9dad69ce7906693aaef845cbb1354248c5 100644
--- a/src/ldap_driver.c
+++ b/src/ldap_driver.c
@@ -51,7 +51,6 @@
#include ldap_helper.h
#include ldap_convert.h
#include log.h
-#include rdlist.h
#include util.h
#include zone_manager.h
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 42efc8c0889e60636a1f7bed193b1b45eb279907..384d4c48bddb7dc613d477065e4ee17c2dbd7061 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -80,7 +80,6 @@
#include ldap_helper.h
#include lock.h
#include log.h
-#include rdlist.h
#include semaphore.h
#include settings.h
#include str.h
diff --git a/src/rdlist.c b/src/rdlist.c
deleted file mode 100644
index 08a2d80a821a717c0f3177941481e73b7bd9fc2f..
--- a/src/rdlist.c
+++ /dev/null
@@ -1,261 +0,0 @@
-/*
- * Authors: Adam Tkac at...@redhat.com
- * Martin Nagy mn...@redhat.com
- *
- * Copyright (C) 2009-2012 Red Hat
- * see file 'COPYING' for use and warranty information
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation; version 2 or later
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#include isc/mem.h
-#include isc/result.h
-#include isc/util.h
-#include isc/buffer.h
-#include isc/md5.h
-
-#include dns/rdata.h
-#include dns/rdatalist.h
-
-#include string.h
-#include stdlib.h
-
-#include ldap_helper.h /* TODO: Move things from ldap_helper here? */
-#include rdlist.h
-#include util.h
-
-
-/* useful only for RR sorting purposes */
-typedef struct rr_sort rr_sort_t;
-struct rr_sort {
- dns_rdatalist_t *rdatalist; /* contains RR class, type, TTL */
- isc_region_t rdatareg; /* handle to binary area with RR data */
-};
-
-static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
-rdata_clone(isc_mem_t *mctx, dns_rdata_t *source, dns_rdata_t **targetp)
-{
- isc_result_t result;
- dns_rdata_t *target = NULL;
- isc_region_t target_region, source_region;
-
- REQUIRE(source != NULL);
- REQUIRE(targetp != NULL *targetp == NULL);
-
- CHECKED_MEM_GET_PTR(mctx, target);
-
- dns_rdata_init(target);
-
- dns_rdata_toregion(source, source_region);
-
- CHECKED_MEM_GET(mctx, target_region.base, source_region.length);
-
- target_region.length = source_region.length;
- memcpy(target_region.base, source_region.base, source_region.length);
- dns_rdata_fromregion(target, source-rdclass, source-type,
- target_region);
-
- *targetp = target;
-
- return ISC_R_SUCCESS;
-
-cleanup:
- SAFE_MEM_PUT_PTR(mctx, target);
-
- return result;
-}
-
-isc_result_t
-rdatalist_clone(isc_mem_t *mctx, dns_rdatalist_t *source,
- dns_rdatalist_t **targetp)
-{
- dns_rdatalist_t *target;
- dns_rdata_t *source_rdata;
- dns_rdata_t *target_rdata;
- isc_result_t result;
-
- REQUIRE(source != NULL);
- REQUIRE(targetp != NULL *targetp == NULL);
-
- CHECKED_MEM_GET_PTR(mctx, target);
-
- dns_rdatalist_init(target);
- target-rdclass = source-rdclass;
- target-type = source-type;
- target-covers = source-covers;
- target-ttl = source-ttl;
-
- source_rdata = HEAD(source-rdata);
- while (source_rdata != NULL) {
- target_rdata = NULL;
- CHECK(rdata_clone(mctx, source_rdata, target_rdata));
- APPEND(target-rdata,
Re: [Freeipa-devel] [PATCH 0325] Add Domain Level feature
On 05/15/2015 09:22 AM, Ludwig Krispenz wrote:
On 05/14/2015 11:48 AM, Jan Cholasta wrote:
Hi,
Dne 14.5.2015 v 11:00 Tomas Babej napsal(a):
Hi,
this patch implements the domain level feature.
https://fedorahosted.org/freeipa/ticket/5018
Tomas
1)
+# Create entry proclaiming Domain Level support of this master
+# This will update the supported Domain Levels during upgrade
+dn: cn=Domain Level support,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: objectClass: ipaConfigObject
+default: objectClass: ipaSupportedDomainLevelConfig
+only: ipaMinDomainLevel: $MIN_DOMAIN_LEVEL
+only: ipaMaxDomainLevel: $MAX_DOMAIN_LEVEL
The design states that supported domain levels should be stored
directly in cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX and I agree
with that - there is no reason to have this information in a separate
entry.
yes, the design states that the domainlevel supported by a server
should be stored in the cn=fqdn entry,
but this is only informational, saying what level a server could
handle and the selected level used has to be set and stored and the
design doc says this has to be in:
Selected Domain level shall be stored in cn=DomainLevel,cn=etc,SUFFIX
Tomas,
I don't see the handling of the global doamin level entry
ok, it is there, you called it cn= Domain Level (with space), I used
cn=DomainLevel - so wouldn't find it, we need to agree an a naming or
a way to detect the entry
I will probably change to search for objectclass=ipaDomainLevelConfig
Ludwig
2) I though we agreed to call the command domainlevel-set instead of
domainlevel-raise:
https://www.redhat.com/archives/freeipa-devel/2015-May/msg00101.html.
3) Domain level is just a single integer and it should be treated as
such, there's no need for an LDAPObject plugin and other unnecessary
complexities. The implemetation could be as simple as (from top of my
head, untested):
domainlevel_output = (
output.Output('result', int)
)
@register()
class domainlevel-get(Command):
has_output = domainlevel_output
def execute(self, *args, **options):
ldap = self.api.Backend.ldap2
dn = ...
entry = ldap.get_entry(dn, ['ipaDomainLevel'])
return {'result': entry.single_value['ipaDomainLevel']}
@register()
class domainlevel-set(Command):
has_output = domainlevel_output
takes_args = (
Int('value'),
)
def execute(self, *args, **options):
ldap = self.api.Backend.ldap2
value = args[0]
... validate value ...
dn = ...
entry = ldap.get_entry(dn, ['ipaDomainLevel'])
entry.single_value['ipaDomainLevel'] = value
ldap.update_entry(entry)
return {'result': value}
Honza
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 831 webui: better error reporting
Helps in development and debugging.
- ActionDropdownWidget - report error if required action is missing
- report build errors to console
--
Petr Vobornik
From 02464015d151d859ef79c9e87d65684d78e6261e Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Wed, 22 Apr 2015 13:17:25 +0200
Subject: [PATCH] webui: better error reporting
- ActionDropdownWidget - report error if required action is missing
- report build errors to console
---
install/ui/src/freeipa/Application_controller.js | 1 -
install/ui/src/freeipa/_base/Builder.js| 1 +
install/ui/src/freeipa/_base/Singleton_registry.js | 4
install/ui/src/freeipa/widgets/ActionDropdownWidget.js | 6 ++
4 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js
index 4bf76f8f56a8e34e330c35956b8922cc3c8f79e3..7e76c225775019f714e4b462b2acfc909b93c755 100644
--- a/install/ui/src/freeipa/Application_controller.js
+++ b/install/ui/src/freeipa/Application_controller.js
@@ -262,7 +262,6 @@ define([
if (error.results) {
var msg = error.results.message;
var stack = error.results.stack.toString();
-window.console.error(msg);
window.console.error(stack);
details.append('h3Technical details:/h3');
details.append($('div/', { text: error.results.message }));
diff --git a/install/ui/src/freeipa/_base/Builder.js b/install/ui/src/freeipa/_base/Builder.js
index 9433a8126e160120fff046c792f4e74330052ea0..f1183c1c23379e2adc61fb62cf24187ba092e44a 100644
--- a/install/ui/src/freeipa/_base/Builder.js
+++ b/install/ui/src/freeipa/_base/Builder.js
@@ -345,6 +345,7 @@ define(['dojo/_base/declare',
// object is not to be built
obj = null;
} else {
+window.console.error(e.stack);
throw e;
}
}
diff --git a/install/ui/src/freeipa/_base/Singleton_registry.js b/install/ui/src/freeipa/_base/Singleton_registry.js
index 6aa10545630da9b0dc95c165f19c2b12ad63832b..b7ec458000f28240e79d44d2e50a5de29d4c48aa 100644
--- a/install/ui/src/freeipa/_base/Singleton_registry.js
+++ b/install/ui/src/freeipa/_base/Singleton_registry.js
@@ -69,6 +69,10 @@ define(['dojo/_base/declare',
obj = this._map[type] = this.builder.build(type);
} catch (e) {
if (e.code === 'no-ctor-fac') obj = null;
+else {
+window.console.error('Error while building: ' + type);
+throw e;
+}
}
}
diff --git a/install/ui/src/freeipa/widgets/ActionDropdownWidget.js b/install/ui/src/freeipa/widgets/ActionDropdownWidget.js
index c43c79b5448b024368bcb7ab766e8770a0011a71..2ddcff64bf04070737332c20fff35edb7337c302 100644
--- a/install/ui/src/freeipa/widgets/ActionDropdownWidget.js
+++ b/install/ui/src/freeipa/widgets/ActionDropdownWidget.js
@@ -74,6 +74,12 @@ define(['dojo/_base/declare',
for (i=0; ithis.action_names.length; i++) {
name = this.action_names[i];
action = this.facet.actions.get(name);
+if (!action) {
+window.console.error(
+ActionDropDown: cannot find action: + name +
+\nFacet: +facet.name);
+continue;
+}
this.add_action(action, true);
}
this.recreate_options();
--
2.1.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0339-0363] Implement meta-database
Hello,
this patch set adds meta-database which is one of prerequisites for other work.
These changes should not be user-visible. You might compile the plugin with
CFLAGS=-DMETADB_DEBUG and check contect of /tmp/metadb.db after BIND shutdown.
Please see
https://fedorahosted.org/bind-dyndb-ldap/ticket/151
https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/MetaDB
for further information and let me know if you can help you somehow.
--
Petr^2 Spacek
From cb7f1aef90d356b195ddae46e3841627234e9208 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Wed, 29 Apr 2015 11:13:41 +0200
Subject: [PATCH] Add LDAP UUID - meta-database name mapping function.
https://fedorahosted.org/bind-dyndb-ldap/ticket/151
---
configure.ac| 2 ++
src/Makefile.am | 2 ++
src/mldap.c | 68 +
src/mldap.h | 11 ++
4 files changed, 83 insertions(+)
create mode 100644 src/mldap.c
create mode 100644 src/mldap.h
diff --git a/configure.ac b/configure.ac
index 9026f6d70fb008813681ab3f3eb51e9e2fec7be0..d7e64772e43a743d75d1b63b05fabe45acefb12d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -73,6 +73,8 @@ AC_CHECK_LIB([ldap], [ldap_initialize], [],
AC_MSG_ERROR([Install OpenLDAP development files]))
AC_CHECK_LIB([krb5], [krb5_cc_initialize], [],
AC_MSG_ERROR([Install Kerberos 5 development files]))
+AC_CHECK_LIB([uuid], [uuid_unparse], [],
+ AC_MSG_ERROR([Install UUID library development files]))
# Check version of libdns
AC_MSG_CHECKING([libdns version])
diff --git a/src/Makefile.am b/src/Makefile.am
index 73aa8a3afa1bea0e63a0ac04ca13f58e4ad512cf..68ddba87582e0e590e51ad05782d18a8fdcfbcd0 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -13,6 +13,7 @@ HDRS =\
ldap_helper.h \
lock.h \
log.h \
+ mldap.h \
rbt_helper.h \
rdlist.h \
semaphore.h \
@@ -38,6 +39,7 @@ ldap_la_SOURCES = \
ldap_helper.c \
lock.c \
log.c \
+ mldap.c \
rbt_helper.c \
rdlist.c \
semaphore.c \
diff --git a/src/mldap.c b/src/mldap.c
new file mode 100644
index ..0b2d0db43624131fc569b05e1492fbc6a7f68c30
--- /dev/null
+++ b/src/mldap.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2015 bind-dyndb-ldap authors; see COPYING for license
+ *
+ * Meta-database for LDAP-specific information which are not represented in
+ * DNS data.
+ */
+
+#include ldap.h
+#include stddef.h
+#include uuid/uuid.h
+
+#include isc/result.h
+#include isc/util.h
+
+#include dns/name.h
+
+#include mldap.h
+#include util.h
+
+/* name ldap.uuid. */
+static unsigned char uuid_rootname_ndata[]
+ = { 4, 'u', 'u', 'i', 'd', 4, 'l', 'd', 'a', 'p', 0 };
+static unsigned char uuid_rootname_offsets[] = { 0, 5, 10 };
+static dns_name_t uuid_rootname =
+{
+ DNS_NAME_MAGIC,
+ uuid_rootname_ndata,
+ sizeof(uuid_rootname_ndata),
+ sizeof(uuid_rootname_offsets),
+ DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+ uuid_rootname_offsets,
+ NULL,
+ { (void *)-1, (void *)-1 },
+ { NULL, NULL }
+};
+
+/**
+ * Convert UUID to 01234567-89ab-cdef-0123-456789abcdef.uuid.ldap. DNS name.
+ *
+ * @param[in] beruuid
+ * @param[out] nameuuid
+ */
+void
+ldap_uuid_to_mname(struct berval *beruuid, dns_name_t *nameuuid) {
+ /* UUID string representation according to RFC 4122 section 3 */
+ char label_buf[sizeof(01234567-89ab-cdef-0123-456789abcdef) + 1];
+ /* uncompressed label format, length 36 octets; RFC 1034 section 3.1 */
+ label_buf[0] = 36;
+
+ isc_region_t label_reg;
+ label_reg.base = (unsigned char *)label_buf;
+ label_reg.length = sizeof(label_buf) - 1; /* omit final \0 */
+
+ dns_name_t relative_name;
+ DNS_NAME_INIT(relative_name, NULL);
+
+ /* RFC 4530 section 2.1 format = 16 octets is required */
+ REQUIRE(beruuid != NULL beruuid-bv_len == 16);
+
+ /* fill-in string representation into label buffer */
+ uuid_unparse((*(const uuid_t *) beruuid-bv_val), label_buf + 1);
+ dns_name_fromregion(relative_name, label_reg);
+
+ INSIST(dns_name_concatenate(relative_name, uuid_rootname,
+nameuuid, NULL) == ISC_R_SUCCESS);
+
+ return;
+}
diff --git a/src/mldap.h b/src/mldap.h
new file mode 100644
index ..dcf2556326ccea5037b32e71ab5da216f0f44ba4
--- /dev/null
+++ b/src/mldap.h
@@ -0,0 +1,11 @@
+/*
+ * Copyright (C) 2015 bind-dyndb-ldap authors; see COPYING for license
+ */
+
+#ifndef SRC_MLDAP_H_
+#define SRC_MLDAP_H_
+
+void
+ldap_uuid_to_mname(struct berval *beruuid, dns_name_t *nameuuid);
+
+#endif /* SRC_MLDAP_H_ */
--
2.1.0
From 7c556a58ff4fb919c089f3f65ad2ed8d415a1fa0 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Tue, 12 May 2015 13:04:41 +0200
Subject: [PATCH] Add basic infratructure for generic meta-database.
https://fedorahosted.org/bind-dyndb-ldap/ticket/151
---
src/Makefile.am | 2 +
src/metadb.c| 256
src/metadb.h| 52
3 files changed, 310 insertions(+)
create mode 100644
Re: [Freeipa-devel] [PATCH] 822 webui: topology plugin
On 04/21/2015 04:09 PM, Petr Vobornik wrote:
First iteration of Topology plugin Web UI.
It reflects current state of topology plugin python part which is
implemented in [PATCH] manage replication topology in the shared tree
and my wip patch.
I expect that the server API part will change a bit therefore this will
as well.
Graphical visualization/management (ticket 4286) will be implemented in
separate patch.
https://fedorahosted.org/freeipa/ticket/4997
http://www.freeipa.org/page/V4/Manage_replication_topology
New version attached. It requires stage user web ui patches in order to
apply (I expect that user life cycle backend will be pushed sooner than
topology)
Changes:
- Left host and Right host fields are now host comboboxes
- Connectivity are radio buttons with both, left-right, right-left,
none options
- segment name is not a required field in its adder dialog
IMHO Attributes to strip, Attributes to replicate, Attributes for
total update, Initialize replica, Session timeout, Replication
agreement enabled fields should not be just free-form textboxes, but
they should be more specific, e.g. a checkbox for Replication agreement
enabled or integer for Session timeout, but that should be modified
first in the backend python plugin.
--
Petr Vobornik
From 135fbc6ce866a29194557c0d9a1a1027423fb57d Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Tue, 21 Apr 2015 15:50:54 +0200
Subject: [PATCH] webui: topology plugin
https://fedorahosted.org/freeipa/ticket/4997
---
install/ui/doc/categories.json | 1 +
install/ui/src/freeipa/app.js | 1 +
install/ui/src/freeipa/navigation/menu_spec.js | 1 +
install/ui/src/freeipa/topology.js | 193 +
install/ui/test/data/ipa_init.json | 5 +
ipalib/plugins/internal.py | 5 +
6 files changed, 206 insertions(+)
create mode 100644 install/ui/src/freeipa/topology.js
diff --git a/install/ui/doc/categories.json b/install/ui/doc/categories.json
index aa5e6f5db3d17aa02e2f1694239e635f40161b12..ee02e45d958845b52b714065ddc5119d73e3920c 100644
--- a/install/ui/doc/categories.json
+++ b/install/ui/doc/categories.json
@@ -253,6 +253,7 @@
otptoken,
radiusproxy,
stageuser,
+topology,
user,
plugins.load,
plugins.login,
diff --git a/install/ui/src/freeipa/app.js b/install/ui/src/freeipa/app.js
index 140fe938f68975310175fb9fadf0ec36db048b72..9b290ab0eee216f8b8adb3181a1b3e7ac22fb351 100644
--- a/install/ui/src/freeipa/app.js
+++ b/install/ui/src/freeipa/app.js
@@ -47,6 +47,7 @@ define([
'./service',
'./sudo',
'./trust',
+'./topology',
'./user',
'./stageuser',
'dojo/domReady!'
diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js
index 13f533d1a6fbb21c73e1f0e5fe1df2836c99f832..0cdc1d557d00c78f5ffc5304627363ae3bc3102a 100644
--- a/install/ui/src/freeipa/navigation/menu_spec.js
+++ b/install/ui/src/freeipa/navigation/menu_spec.js
@@ -184,6 +184,7 @@ var nav = {};
{ entity: 'trustconfig' }
]
},
+{ entity: 'topologysuffix', label: '@i18n:tabs.topology' },
{ entity: 'config' }
]
}
diff --git a/install/ui/src/freeipa/topology.js b/install/ui/src/freeipa/topology.js
new file mode 100644
index ..2c098d92470749b6f52a360494b59b1fe0f6c714
--- /dev/null
+++ b/install/ui/src/freeipa/topology.js
@@ -0,0 +1,193 @@
+//
+// Copyright (C) 2015 FreeIPA Contributors see COPYING for license
+//
+
+define([
+'dojo/on',
+'./ipa',
+'./jquery',
+'./menu',
+'./phases',
+'./reg',
+'./rpc',
+'./text',
+'./details',
+'./facet',
+'./search',
+'./entity'],
+function(on, IPA, $, menu, phases, reg, rpc, text, mod_details, mod_facet) {
+/**
+ * Topology module
+ * @class
+ * @singleton
+ */
+var topology = IPA.topology = {
+};
+
+var make_suffix_spec = function() {
+return {
+name: 'topologysuffix',
+enable_test: function() {
+return true;
+},
+facet_groups: [ 'segments', 'settings' ],
+facets: [
+{
+$type: 'search',
+columns: [
+'cn',
+'iparepltopoconfroot'
+]
+},
+{
+$type: 'nested_search',
+facet_group: 'segments',
+nested_entity: 'topologysegment',
+search_all_entries: true,
+label: '@mo:topologysegment.label',
+tab_label: '@mo:topologysegment.label',
+name: 'topologysegment',
+columns: [
+'cn',
+'iparepltoposegmentleftnode',
+
Re: [Freeipa-devel] [PATCH 0246] Don't use proxy to check CA status during install/upgrade
Hi, Dne 13.5.2015 v 13:46 Martin Basti napsal(a): https://fedorahosted.org/freeipa/ticket/4994 Patch attached. Thanks, ACK. Pushed to master: 3c86b0ef3e684d45301ae2c2452932ea4f279f08 Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 832-850 Stage Users Web UI and its prerequisites
On 05/15/2015 10:59 AM, Petr Vobornik wrote:
Stage User Web UI is actually just the last four patches(847-850).
I expect that patch 848 - deleter dialog needs some adjustments (was
discussed offline).
The rest are prerequisites, namely:
- update of patternfly
- update navigation code to support multiple entities under one entity
tree (it broke a memory feature/bug of the navigation)
- support for facet tabs in sidebar
Attaching new version of 847-1. The old version did not apply because I
had also a new version of topology plugin UI (will be send later today)
in my git tree.
--
Petr Vobornik
From 4fd0856a3f0a278d44b7dd9501508ab7afc0b58d Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Wed, 22 Apr 2015 14:57:26 +0200
Subject: [PATCH] webui: stageuser plugin
---
install/ui/doc/categories.json | 1 +
install/ui/src/freeipa/app.js | 1 +
install/ui/src/freeipa/navigation/menu_spec.js | 17 +-
install/ui/src/freeipa/stageuser.js| 351 +
install/ui/src/freeipa/user.js | 17 +-
install/ui/test/data/ipa_init.json | 10 +
ipalib/plugins/internal.py | 11 +
7 files changed, 406 insertions(+), 2 deletions(-)
create mode 100644 install/ui/src/freeipa/stageuser.js
diff --git a/install/ui/doc/categories.json b/install/ui/doc/categories.json
index c84077682eafa42981e8a1c1a2f93c712e6421fd..9de673593765fc828cca07b4ad133ea16a5ccd76 100644
--- a/install/ui/doc/categories.json
+++ b/install/ui/doc/categories.json
@@ -250,6 +250,7 @@
idviews,
otptoken,
radiusproxy,
+stageuser,
user,
plugins.load,
plugins.login,
diff --git a/install/ui/src/freeipa/app.js b/install/ui/src/freeipa/app.js
index 46752fa09e47be9e14e5fa37ce1bd1cbd0b0afdf..140fe938f68975310175fb9fadf0ec36db048b72 100644
--- a/install/ui/src/freeipa/app.js
+++ b/install/ui/src/freeipa/app.js
@@ -48,6 +48,7 @@ define([
'./sudo',
'./trust',
'./user',
+'./stageuser',
'dojo/domReady!'
],function(app_container) {
return app_container;
diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js
index ca1a290f479fd0cc6a399e6bc93bd3e8ed1fca40..13f533d1a6fbb21c73e1f0e5fe1df2836c99f832 100644
--- a/install/ui/src/freeipa/navigation/menu_spec.js
+++ b/install/ui/src/freeipa/navigation/menu_spec.js
@@ -36,7 +36,22 @@ var nav = {};
name: 'identity',
label: '@i18n:tabs.identity',
children: [
-{ entity: 'user' },
+{
+entity: 'user',
+facet: 'search',
+children: [
+{
+entity: 'stageuser',
+facet: 'search',
+hidden: true
+},
+{
+entity: 'user',
+facet: 'search_preserved',
+hidden: true
+}
+]
+},
{ entity: 'group' },
{ entity: 'host' },
{ entity: 'hostgroup' },
diff --git a/install/ui/src/freeipa/stageuser.js b/install/ui/src/freeipa/stageuser.js
new file mode 100644
index ..8334d556551f2b35a41aa59429d1b9e37995b3b7
--- /dev/null
+++ b/install/ui/src/freeipa/stageuser.js
@@ -0,0 +1,351 @@
+//
+// Copyright (C) 2015 FreeIPA Contributors see COPYING for license
+//
+
+define([
+'dojo/on',
+'./ipa',
+'./jquery',
+'./menu',
+'./phases',
+'./reg',
+'./rpc',
+'./text',
+'./details',
+'./facet',
+'./user',
+'./search',
+'./entity'],
+function(
+on, IPA, $, menu, phases, reg, rpc, text, mod_details, mod_facet, mod_user) {
+/**
+ * Stage user module
+ * @class
+ * @singleton
+ */
+var stageuser = IPA.stageuser = {
+
+search_facet_group: {
+name: 'search',
+label: '@i18n:objects.stageuser.user_categories',
+facets: {
+search_normal: 'user_search',
+search: 'stageuser_search',
+search_preserved: 'user_search_preserved'
+}
+}
+};
+
+var make_stageuser_spec = function() {
+return {
+name: 'stageuser',
+facet_groups: ['settings'],
+facets: [
+{
+$type: 'search',
+disable_facet_tabs: false,
+tabs_in_sidebar: true,
+tab_label: '@i18n:objects.stageuser.label',
+facet_groups: [stageuser.search_facet_group],
+facet_group: 'search',
+columns: [
+'uid',
+'givenname',
+
Re: [Freeipa-devel] [PATCH 0248] DNSSEC: Fix: Do not recreate kasp.db if already exists
On 14.5.2015 17:09, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/4657 Patch attached. ACK for this change but it generally it would be nice if function __setup_dnssec had some meaningful name, e.g. __setup_opendnssec_db. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0249] DNSSEC: update kasp configuration template: increase key size lifetime
On 14.5.2015 17:23, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/4657 Looking at 3072 bit key size, I think we can prolong KSK key rotation period to 2 years. It should be okay according to http://dx.doi.org/10.6028/NIST.SP.800-81-2 section 11.2. Modified patch is attached. Thank you for reviewing it :-) -- Petr^2 Spacek From 72a859796a05f90728b783c9c45e739b8081d51f Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Thu, 14 May 2015 17:17:55 +0200 Subject: [PATCH] DNSSEC: update OpenDNSSEC KASP configuration * remove unneeded parts * increase KSK key length to 3072 * increase KSK key lifetime to 2 years (see NIST SP 800-81-2 section 11.2) Update is not required, as template contains just recommended values which should by reviewed by administrators. https://fedorahosted.org/freeipa/ticket/4657 --- install/share/opendnssec_kasp.template | 79 ++ 1 file changed, 3 insertions(+), 76 deletions(-) diff --git a/install/share/opendnssec_kasp.template b/install/share/opendnssec_kasp.template index cad9f7c5d51bcaac6866cb9db3b84d69a86e7f17..803b945a04977dde26b46faa9169a10389023062 100644 --- a/install/share/opendnssec_kasp.template +++ b/install/share/opendnssec_kasp.template @@ -1,20 +1,9 @@ ?xml version=1.0 encoding=UTF-8? -!-- - - NOTE: The default policy below is a TEMPLATE ONLY and should be reviewed - before used in any production environment. The administrator should - consult the OpenDNSSEC documentation before changing any parameters. - - If you can read this message, it is likely that this file has not - been reviewed nor updated. - - -- - KASP Policy name=default - DescriptionA default policy that will amaze you and your friends/Description + DescriptionIPA default policy/Description Signatures ResignPT2H/Resign RefreshP3D/Refresh @@ -49,8 +38,8 @@ !-- Parameters for KSK only -- KSK -Algorithm length=20488/Algorithm -LifetimeP1Y/Lifetime +Algorithm length=30728/Algorithm +LifetimeP2Y/Lifetime RepositorySoftHSM/Repository /KSK @@ -85,66 +74,4 @@ /Policy - Policy name=lab - DescriptionQuick turnaround policy for lab work/Description - Signatures - ResignPT10M/Resign - RefreshPT30M/Refresh - Validity -DefaultPT1H/Default -DenialPT1H/Denial - /Validity - JitterPT1M/Jitter - InceptionOffsetPT3600S/InceptionOffset - /Signatures - - Denial - NSEC/ - /Denial - - Keys - !-- Parameters for both KSK and ZSK -- - TTLPT300S/TTL - RetireSafetyPT360S/RetireSafety - PublishSafetyPT360S/PublishSafety - !-- ShareKeys/ -- - PurgeP14D/Purge - - !-- Parameters for KSK only -- - KSK -Algorithm length=20488/Algorithm -LifetimeP1Y/Lifetime -RepositorySoftHSM/Repository - /KSK - - !-- Parameters for ZSK only -- - ZSK -Algorithm length=20488/Algorithm -LifetimePT4H/Lifetime -RepositorySoftHSM/Repository -!-- ManualRollover/ -- - /ZSK - /Keys - - Zone - PropagationDelayPT300S/PropagationDelay - SOA -TTLPT300S/TTL -MinimumPT300S/Minimum -Serialunixtime/Serial - /SOA - /Zone - - Parent - PropagationDelayPTS/PropagationDelay - DS -TTLPT3600S/TTL - /DS - SOA -TTLPT172800S/TTL -MinimumPT10800S/Minimum - /SOA - /Parent - - /Policy /KASP -- 2.1.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Wiki: automatic bookkeeping of Design documents
On 05/06/2015 08:47 AM, Martin Kosek wrote: Hello all, Knowing the sorrow and unmaintained state of the pages collecting links to our designs [1][2], I think we need to execute the second half of my evil plan for Design Document management. We have the Feature design box (see top right corner, e.g. in [3]), so we can easily automatically generate mediawiki categories. The first I implemented in the template are FreeIPA $VERSION Design when target version is filled (and design is thus accepted for a release) and FreeIPA Design Proposal for others. We can be creative with other categories in future, if needed. But even these 2 and a DynamicPageList plugin allowed me to create automatically generated design lists, in [4]. I had to update the box in many designs, however. Makes sense? If yes, I would update these pages. Of course, this requires developers to maintain the Feature box properly, but I think it's worth it. [1] http://www.freeipa.org/page/V4_Proposals [2] http://www.freeipa.org/page/V4_Designs [3] http://www.freeipa.org/page/V4/User_Certificates [4] http://www.freeipa.org/page/Talk:V4_Designs Thanks everyone for commenting. Seeing the positive feedback, I did the changes and updated the Code Contribution policy and the pages themselves: http://www.freeipa.org/page/Contribute/Code http://www.freeipa.org/page/V4_Designs http://www.freeipa.org/page/V4_Proposals Enjoy! Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0001-0007] Profile management
On 15/05/15 10:24, Fraser Tweedale wrote: Please find attached latest patches including new patches: - 0006 enable LDAP-based profiles in Dogtag on upgrade - 0007 import included profiles during install or upgrade There is one TODO in the patches where some more code is needed on Dogtag side, and another TODO (not in patches) to migrate caIPAserviceCert profile to DefaultService profile and switch to using DefaultService for cerificate issuance (as the default profile). Jan and Martin, further comments to earlier reviews inline. Cheers, Fraser On Wed, May 13, 2015 at 10:39:55AM +0200, Jan Cholasta wrote: Dne 13.5.2015 v 10:36 Martin Basti napsal(a): On 13/05/15 10:06, Jan Cholasta wrote: Hi, Dne 5.5.2015 v 10:38 Martin Basti napsal(a): On 05/05/15 08:29, Fraser Tweedale wrote: On Mon, May 04, 2015 at 06:35:45PM +0200, Martin Basti wrote: On 04/05/15 15:36, Fraser Tweedale wrote: Hello, Please review the first cut of the 'certprofile' command and other changes associated with the Certificate Profiles feature[1]. Custom profiles can't be used yet because 'cert-request' has not been updated, but you can manage the profiles (find, show, import, modify, delete). There's a bit more work to do on profile management and a lot more to do for using profiles and sub-CAs. I am tracking my progress on etherpad[2] so if you are reviewing check there for the TODO list and some commentary. If you want to test: for f21, please use Dogtag from my copr[2]. For f22 the required version is in updates-testing (or my copr). In summary: this is not the whole feature, just the first functional part. Since it is my first experience developing in the IPA framework I want to get patches out so you can point out all the things I did wrong or overlooked, and I can fix them. Don't hold back :) [1] http://www.freeipa.org/page/V4/Certificate_Profiles [2] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress [3] http://copr.fedoraproject.org/coprs/ftweedal/freeipa/ Thank you for patches, I have no idea what kind of dogtag magic is happening there, but I have a few comments related to IPA: Thanks for reviewing, Martin. Comments inline. You are welcome, comments inline. Martin^2 Upgrade: 1) +config.set(CA, pki_profiles_in_ldap, True) IMO this will work only for new installations. For upgrade you may need to add this to ipa-upgradeconfig OK. 2) +dn: cn=certprofiles,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: certprofiles IMO this will work only for new installations. For upgrade you may need to add it into update file as well, with the 'default' keyword I don't understand about the 'default' keyword - can you expain this some more? In an upgrade file: dn: cn=certprofiles,cn=etc,$SUFFIX default:objectClass: nsContainer default:objectClass: top default:cn: certprofiles Maybe we should do what DNS does and have a container for CA specific stuff in the suffix: cn=ca,$SUFFIX. The container would be created only if CA is installed. Certificate profile container would then be cn=certprofiles,cn=ca,$SUFFIX. I haven't changed this for the current patchset. What are the implications / motivations for changing it. 3) Your patch 0004 will work on new installations only. You may need to add that new step into ipa-upgradeconfig. Must be that step there during installation? If not you can create just one update file, which will be applied at the end of installation and during upgrade. This change must be made to the Dogtag directory (not IPA) - can an update file be used to do that? If not, is ipa-upgradeconfig the best place to make this change? If it is change in LDAP, you can use updatefile: dn: cn=aclResources,$SUFFIX add:resourceACLS: certServer.profile.configuration:read,modify:allow (read,modify) group=Certificate Manager Agents:Certificate Manager agents may modify (create/update/delete) and read profiles Please temporarily use my patch freeipa-mbasti-231-4, (which will be pushed soon) to avoid issues with CSV Note that this update should be done only if CA is installed. In that case, you must create update plugins. I would prefer a CAInstance method called during install and in ipa-upgradeconfig. So more or less what Fraser already did, except the ipa-upgradeconfig part. Patch 0004 was updated and now has CAInstance method during install, and ipa-upgradeconfig method for upgrade. Martin^2 Other issues: 1) I do not see modifications in API.txt file 2) We use new shorter license header # # Copyright (C) 2015 FreeIPA Contributors see COPYING for license # 3) +from ipalib.plugins.baseldap import \ +LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPUpdate, LDAPRetrieve please use 'import ( modules, .. )' instead of '\' 4) +if method == 'POST' \ +and 'content-type' not in (str(k).lower() for k in headers.viewkeys()): again, please use if ( ... ): instead \ 5) +import ipalib.errors as errors in dogtag.py
Re: [Freeipa-devel] [PATCH 0249] DNSSEC: update kasp configuration template: increase key size lifetime
On 15/05/15 13:12, Petr Spacek wrote: On 14.5.2015 17:23, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/4657 Looking at 3072 bit key size, I think we can prolong KSK key rotation period to 2 years. It should be okay according to http://dx.doi.org/10.6028/NIST.SP.800-81-2 section 11.2. Modified patch is attached. Thank you for reviewing it :-) ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0322-0337] Fix mysterious failures in PTR record synchronization
On 05/05/2015 05:24 PM, Petr Spacek wrote: Hello, Attached patch set is the best fix for https://fedorahosted.org/bind-dyndb-ldap/ticket/155 I was able to write. This patch set should fix vast majority of race conditions. Unfortunately it cannot be 100 % reliable without support for LDAP transactions. For convenience you can download the whole tree from https://github.com/pspacek/bind-dyndb-ldap/commits/t155.syncptr HEAD = da2552632f6ce67f1bb9d9b3cdd3e0a8e06ce9ea Enjoy. Hi. There is one unused variable after patch 325 Move SOA serial update functions to zone.c. - it looks like you forgot to remove: https://github.com/pspacek/bind-dyndb-ldap/blob/d616021d6665ebab97035efb687a88a4a139f636/src/ldap_helper.c#L3892 https://github.com/pspacek/bind-dyndb-ldap/blob/d616021d6665ebab97035efb687a88a4a139f636/src/ldap_helper.c#L4037 https://github.com/pspacek/bind-dyndb-ldap/blob/d616021d6665ebab97035efb687a88a4a139f636/src/ldap_helper.c#L4038 Other than that, patches look good. I tested them and reviewed from https://github.com/pspacek/bind-dyndb-ldap/commits/t155.syncptr ACK with the fix for unused variable. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 832-850 Stage Users Web UI and its prerequisites
On 05/15/2015 12:34 PM, Petr Vobornik wrote: On 05/15/2015 10:59 AM, Petr Vobornik wrote: Stage User Web UI is actually just the last four patches(847-850). I expect that patch 848 - deleter dialog needs some adjustments (was discussed offline). The rest are prerequisites, namely: - update of patternfly - update navigation code to support multiple entities under one entity tree (it broke a memory feature/bug of the navigation) - support for facet tabs in sidebar Attaching new version of 847-1. The old version did not apply because I had also a new version of topology plugin UI (will be send later today) in my git tree. Hi! thanks for patches. Please note that I tested only functionality because I'm not familiar with WebUI internals. I tried your patch set together with Thierry's ULC patches and found following issues: 1) Missing all but 'Delete' actions in single stage user view. 'Enable', 'Disable', 'Unlock', 'Add OTP Token' and 'Rebuild auto membership ' actions are not relevant here. 2) Missing 'Restore' action in single preserve user view. 3) When deleting preserved user there are options to preserve or permanently delete user. This doesn't make sense and don't work. Preserved user is always permanently removed. 4) Action 'Delete' in single user view deletes the user without asking whether to 'preserve' or 'delete permanently'. *) I would prefer if the choice between 'preserve' and 'permanently delete' in delete dialog was done by directly clicking button not switching 'mode' radio button and then clicking 'delete'. Otherwise everything seems to work well. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0233-0234] DNSSEC: forwarders validation
On 7.5.2015 18:12, Martin Basti wrote: On 07/05/15 12:19, Petr Spacek wrote: On 7.5.2015 08:59, David Kupka wrote: On 05/06/2015 03:20 PM, Martin Basti wrote: On 05/05/15 15:00, Martin Basti wrote: On 30/04/15 15:37, David Kupka wrote: On 04/24/2015 02:56 PM, Martin Basti wrote: Patches attached. Hi, thanks for patches. 1. You changed message in DNSServerNotRespondingWarning class but not the test in ipatest/test_xmlrpc/test_dns_plugin.py nitpick. Please spell 'edns' correctly. I've seen several instances of 'ends'. Thank you, updated patches attached: * new error messages * logging to debug log server output if exception was raised * fixed test * fixed spelling Fixed tests (again) Updated patches attached The code looks good to me and tests are no longer broken. (I would prefer better fix of the tests but given that the priorities are different now it can wait.) Petr, can you please confirm that the patch set works for you? Sorry, NACK: $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236 Server will check DNS forwarder(s). This may take some time, please wait ... ipa: ERROR: an internal error has occurred # /var/log/httpd/error_log ipa: ERROR: non-public: AssertionError: Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 350, in wsgi_execute result = self.Command[name](*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760, in run return self.execute(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line , in execute **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line 4405, in _warning_if_forwarders_do_not_work log=self.log) File /usr/lib/python2.7/site-packages/ipalib/util.py, line 715, in validate_dnssec_zone_forwarder_step2 timeout=timeout) File /usr/lib/python2.7/site-packages/ipalib/util.py, line 610, in _resolve_record assert isinstance(nameserver_ip, basestring) AssertionError ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE: dnsforwardzone_add(DNS name ptr.test., idnsforwarders=(u'10.34.47.236',), all=False, raw=False, version=u'2.116'): AssertionError This is constantly reproducible in my vm-090.abc. Let me know if you want to take a look. I'm attaching little response.patch which improves compatibility with older python-dns packages. This patch allows IPA to work while error messages are simply not as nice as they could be with latest python-dns :-) check_fwd_msg.patch is a little nitpick, just to make sure everyone understands the message. BTW why some messages in check_forwarders() are printed using 'print' and others using logger? I would prefer to use logger for everything to make sure that logs contain all the information, including warnings. Thank you for your time! Thank you, fixed. I added missing except block after forwarders validation step2. I confirm that this works but I just discovered another deficiency. Setup: - DNSSEC validation is enabled on IPA server - forwarders uses fake TLD, e.g. 'test.' - remote DNS server is responding, supports EDNS0 and so on $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236 Server will check DNS forwarder(s). This may take some time, please wait ... ipa: WARNING: DNS server 10.34.78.90: query 'ptr.test. SOA': The DNS query name does not exist: ptr.test.. Huh? Let's check named log: forward zone 'ptr.test': loaded validating ./SOA: got insecure response; parent indicates it should be secure Sometimes I get SERVFAIL from IPA server, too. Unfortunately this check was the main reason for writing this patchset so we need to improve it. Maybe validate_dnssec_zone_forwarder_step2() could special-case NXDOMAIN and print the DNSSEC-validation-failed error, too? The problem is that it could trigger some false positives because NXDOMAIN may simply be caused by a delay somewhere. Any ideas? By the way, this is also weird: $ ipa dnsforwardzone-add ptr.test. --forwarder=10.34.47.236 Server will check DNS forwarder(s). This may take some time, please wait ... ipa: ERROR: DNS forward zone with name ptr.test. already exists Is it actually doing the check even if the forward zone exists already? (This is just nitpick, not a blocker!) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCHES 0033-0034] fix recent bugs introduced by letting httpd use file-based ccache
These two patches fix two issues reported by David Kupka in most recent
freeipa-master builds, which are caused by my previous patch 0031
provide a dedicated ccache file to httpd.
Patch 0033 moves `clientcaches` and `krbcache` directories under a
common `ipa/` subdir in Apache runtime dir (`/var/run/httpd`). This
fixes a situation when both mod_auth_kerb and mod_auth_gssapi are
installed together with IPA. The removal of the former Apache module
removes also the `krbcache` directory, thus invalidating the ccache path
in KRB5CCNAME.
This of course causes spectacular explosions when calling RPC interface
(aka always).
Patch 0034 forces HTTPInstance to explicitly remove ccache specified in
our `httpd.service` override during uninstall. This fixes an issue
related to uninstall of an old IPA server and immediate install of new
IPA server.
In this case the old CCache is left in httpd runtime dir, causing
Decrypt integrity check failed errors when connecting to RPC interface
(Old tickets are being send to KDC having new Apache secret key).
However, issuing 'kdestroy -A' as apache user is not enough, because
systemd daemons use completely different isolated environments (and thus
completely different KRB5CCNAME than apache user). That's why we have to
explicitly remove ccache using 'kdestroy -c'.
I would like to thank David for pointing out these issues.
--
Martin^3 Babinsky
From ab77ecb1d43b851f89fdd1f3f895166da30cd0fc Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Fri, 15 May 2015 15:37:05 +0200
Subject: [PATCH 1/2] move IPA-related http runtime directories to common
subdirectory
When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same
time, they use common directory for storing Apache ccache file. Uninstallation
of 'mod_auth_kerb' removes this directory leading to invalid CCache path for
httpd and authentication failure.
Using an IPA-specific directory for credential storage during apache runtime
avoids this issue.
---
freeipa.spec.in| 8 ++--
init/systemd/httpd.service | 2 +-
init/systemd/ipa.conf.tmpfiles | 4 +++-
install/conf/ipa.conf | 2 +-
4 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 2bf14ef9e14f96b3100d45dd47d749b6bc3b4816..159d4cc3c0a5b775e5bed9a3cc853ee4a3b5a8e8 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -465,7 +465,9 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
mkdir -p %{buildroot}%{_localstatedir}/run/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
-install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/clientcaches
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/krbcache
mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
@@ -685,7 +687,9 @@ fi
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
-%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/clientcaches/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/krbcache/
# NOTE: systemd specific section
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa.service
diff --git a/init/systemd/httpd.service b/init/systemd/httpd.service
index ef1e6bfda06f1a1d703a174040f1f6e6ea0757c7..231f86f44808156e0eb20d67ef15bb7d19550e19 100644
--- a/init/systemd/httpd.service
+++ b/init/systemd/httpd.service
@@ -1,4 +1,4 @@
.include /usr/lib/systemd/system/httpd.service
[Service]
-Environment=KRB5CCNAME=/var/run/httpd/krbcache/krb5ccache
+Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles
index b4503cc673f3407421cd194091f5373ba204a483..6eab2621c18c9867d41b50afa2ebdee4dc46f308 100644
--- a/init/systemd/ipa.conf.tmpfiles
+++ b/init/systemd/ipa.conf.tmpfiles
@@ -1,3 +1,5 @@
d /var/run/ipa_memcached 0700 apache apache
d /var/run/ipa 0700 root root
-d /var/run/httpd/clientcaches 0700 apache apache
+d /var/run/httpd/ipa 0700 apache apache
+d /var/run/httpd/ipa/clientcaches 0700 apache apache
+d /var/run/httpd/ipa/krbcache 0700 apache apache
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 92637c04d4f961a0b7f016fe125341c63f400285..dd9b9fdc072a0815a84a2676fd292f734397446b 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -66,7 +66,7 @@ WSGIScriptReloading Off
AuthName Kerberos Login
GssapiCredStore
Re: [Freeipa-devel] [PATCH 0338] Add includes to zone.c to improve compatibility with BIND 9.9.4
On 15.5.2015 15:50, Tomas Hozza wrote: On 05/07/2015 02:55 PM, Petr Spacek wrote: Hello, This is minor improvement for patch set related to ticket #155. Add includes to zone.c to improve compatibility with BIND 9.9.4. Hi. I tested and reviewed the patch from https://github.com/pspacek/bind-dyndb-ldap/commits/t155.syncptr ACK. Pushed to master: 1e8a8461c2a27e37046a47f22c7203ff1aa5d6ba Add includes to zone.c to improve compatibility with BIND 9.9.4. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0247] Modularization of the DNS subsytem installer
On 14/05/15 15:16, Martin Basti wrote: Required for new installers. Patch attached. Updated patch attached. -- Martin Basti From 71d1762e51603d756b605c28622a5a58c9c351e8 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 13 May 2015 18:49:25 +0200 Subject: [PATCH] DNS install: extract DNS installer into one module This is required modification to be able move to new installers. DNS subsystem will be installed by functions in this module in each of ipa-server-install, ipa-dns-install, ipa-replica-install install scripts. --- install/tools/ipa-dns-install| 133 ++-- install/tools/ipa-replica-install| 62 ++--- install/tools/ipa-server-install | 116 + ipaserver/install/dns.py | 210 +++ ipaserver/install/installutils.py| 2 + ipaserver/install/ipa_replica_prepare.py | 2 + ipaserver/install/krbinstance.py | 8 +- 7 files changed, 269 insertions(+), 264 deletions(-) create mode 100644 ipaserver/install/dns.py diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 4527447a7dbc69ab16bcd93e48f3c02adce684d7..fd9311657e813988310db2be604ca68d26936af5 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -21,18 +21,16 @@ from optparse import OptionGroup, SUPPRESS_HELP -from ipaserver.install import (service, bindinstance, ntpinstance, -httpinstance, dnskeysyncinstance, opendnssecinstance, odsexporterinstance) +from ipaserver.install import bindinstance, httpinstance from ipaserver.install.installutils import * from ipaserver.install import installutils from ipapython import version -from ipapython import ipautil, sysrestore -from ipapython.ipaldap import AUTOBIND_ENABLED -from ipalib import api, errors, util +from ipalib import api from ipaplatform.paths import paths from ipapython.config import IPAOptionParser from ipapython.ipa_log_manager import standard_logging_setup, root_logger -from ipapython.ipautil import DN + +from ipaserver.install import dns as dns_installer log_file_name = paths.IPASERVER_INSTALL_LOG @@ -96,48 +94,6 @@ def main(): installutils.check_server_configuration() -global fstore -fstore = sysrestore.FileStore(paths.SYSRESTORE) - -print == -print This program will setup DNS for the FreeIPA Server. -print -print This includes: -print * Configure DNS (bind) -print * Configure SoftHSM (required by DNSSEC) -print * Configure ipa-dnskeysyncd (required by DNSSEC) -if options.dnssec_master: -print * Configure ipa-ods-exporter (required by DNSSEC key master) -print * Configure OpenDNSSEC (required by DNSSEC key master) -print * Generate DNSSEC master key (required by DNSSEC key master) -print -print NOTE: DNSSEC zone signing is not enabled by default -print -if options.dnssec_master: -print DNSSEC support is experimental! -print -print Plan carefully, current version doesn't allow you to move DNSSEC -print key master to different server and master cannot be uninstalled -print -print -print To accept the default shown in brackets, press the Enter key. -print - -if options.dnssec_master and not options.unattended and not ipautil.user_input( -Do you want to setup this IPA server as DNSSEC key master?, -False): -sys.exit(Aborted) - -# Check bind packages are installed -if not (bindinstance.check_inst(options.unattended) and -dnskeysyncinstance.check_inst()): -sys.exit(Aborting installation.) - -if options.dnssec_master: -# check opendnssec packages are installed -if not opendnssecinstance.check_inst(): -sys.exit(Aborting installation) - # Initialize the ipalib api cfg = dict( in_server=True, @@ -146,93 +102,20 @@ def main(): api.bootstrap(**cfg) api.finalize() - -# create BIND and OpenDNSSec instances - -bind = bindinstance.BindInstance(fstore, ldapi=True, - autobind=AUTOBIND_ENABLED) - -ods = opendnssecinstance.OpenDNSSECInstance(fstore, ldapi=True, -autobind=AUTOBIND_ENABLED) -if options.dnssec_master: -ods.realm = api.env.realm -dnssec_masters = ods.get_masters() -# we can reinstall current server if it is dnssec master -if not api.env.host in dnssec_masters and dnssec_masters: -print DNSSEC key master(s):, u','.join(dnssec_masters) -sys.exit(Only one DNSSEC key master is supported in current version.) - -ip_addresses = get_server_ip_address(api.env.host, fstore, -options.unattended, True, options.ip_addresses) - -if options.no_forwarders: -
Re: [Freeipa-devel] [PATCH] 801-806 webui-ci: otptoken tests
On 05/12/2015 01:57 PM, Petr Vobornik wrote:
On 05/11/2015 01:25 PM, Milan Kubik wrote:
On 05/07/2015 01:38 PM, Petr Vobornik wrote:
On 02/19/2015 03:51 PM, Petr Vobornik wrote:
https://fedorahosted.org/freeipa/ticket/4307
For ipa-4-1 apply:
- patch 800 (different thread)
- patches 801-806
For master apply:
- patch 800 (different thread)
- patch 807 (different thread)
- patch 801-master
- patches 802-806
Patch 801 allows to use ipalib rpc client in Web UI test suite.
Patches 802-805 are various ui_driver fixes to allow stuff in patch
806.
== [PATCH] 806 webui-ci: otptoken tests ==
Basic otptoken Web UI CI coverage.
tests:
* crud for otptokens as admin
* crud for normal users
* checks fields of adder dialog for both token types and user role
(admin/user)
* token actions as admin (enable, disable, delete)
* token actions as normal user (delete)
* login as normal user with hotp and totp token
* sync token hotp and totp token as normal user and then login
https://fedorahosted.org/freeipa/ticket/4307
== [PATCH] 805 webui-ci: allow custom names for disable/enable
actions ==
Not all disable and enable actions are called 'disable' and 'enable'.
== [PATCH] 804 webui-ci: allow to update pkey in post-add in
basic-crud
tests ==
== [PATCH] 803 webui-ci: add post_add_action ==
post add action allows to fill autogenerated values, e.g. a pkey of
new
otptoken.
This value can be then used in other subsequent test which would
depend
on it - like crud tests.
== [PATCH] 802 webui-ci: fix negative visibility check ==
Allow to define, that element doesn't have to be present on a page for
negative visible checks.
E.g. if element is added only if it's displayed and is removed
otherwise.
== [PATCH] 801 webui-ci: support direct IPA API calls ==
Add IPA API support to ui_driver. It leverages new ipalib RPC client's
forms based authentication. It then allows to call an IPA API while
the machine is not an IPA client nor is kerberized.
api's environment values are taken from test configuration and
therefore duplication in ~/.ipa/default.conf is not required.
Since the machine doesn't have to be IPA client, it then also doesn't
have nss database with IPA's CA certificate. Therefore on each API
initialization a new NSS database is created with a CA certificate
downloaded from IPA. This db is deleted in tearDown phase.
Usage:
1. as admin one can immediately call rpc commands, api will be
initialized upon first request and is available under self.api
(assuming self is ui_driver):
self.api.Command.user_del(USER_ID, **{'continue': True})
2. to reconnect as other user:
self.reconnect_api(USER_ID, USER_PW)
3. reconnect back as admin:
self.reconnect_api()
Patch #803 needed rebase.
Hi, thanks for the patches.
Please, fix pep8 complaints in 803, 805 and 806.
$ git diff HEAD~6 -U0 | pep8 --diff
returns 20x E501 line too long
IMO, it's better this way for better code readability.
Also, change the header in 806 to the shorter version, please.
Fixed, patches were regenerated.
#
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#
Patches 801, 802 and 804 look good to me.
The test cases in 806 look good to me as well.
Milan
I have reviewed the pep8 complaints closely and yes, readability would
suffer a little.
nicpick-alertI don't like the line 317 after patch 806./nicpick-alert
Fix it at your discretion.
Otherwise ACK.
Thanks,
Milan
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 426] baseldap: Fix possible crash in LDAPObject.handle_duplicate_entry
Hi,
the attached patch fixes a bug I have discovered while reviewing the
vault patches.
Pushed to master under the one-liner rule:
dc668b1b6a75472ea79a6af4dbcd8c6a2c5a0384
Honza
--
Jan Cholasta
From ac96930015e735588e3830ed88948ddcc0b48633 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Fri, 15 May 2015 14:00:54 +
Subject: [PATCH] baseldap: Fix possible crash in
LDAPObject.handle_duplicate_entry
---
ipalib/plugins/baseldap.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index b06b570..2eab69f 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -756,7 +756,7 @@ class LDAPObject(Object):
def handle_duplicate_entry(self, *keys):
try:
pkey = keys[-1]
-except KeyError:
+except IndexError:
pkey = ''
raise errors.DuplicateEntry(
message=self.already_exists_msg % {
--
2.1.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0005 User life cycle: del/mod/find/show stageuser commands
Hello Thierry, thanks for the patch set. Overall functionality of ULC feature looks good to me and is definitely alpha ready. I found following issues but don't insist on fixing it right now: 1) When stageuser-activate fails due to already existent active/deleted user. DN is show instead of user name that's used in other commands (user-add, stageuser-add). $ ipa user-add tuser --first Test --last User $ ipa stageuser-add tuser --first Test --last User $ ipa stageuser-activate tuser ipa: ERROR: Active user uid=tuser,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com already exists 2) According to the design there should be '--only-delete' and '--also-delete' options for user-find command instead there is '--preserved' option. Honza proposed adding virtual boolean attribute 'deleted' to user entry and filter on it. The 'deleted' attribute would be useful also in user-show where is no way to tell if the displayed user is active or deleted. (Except running with --all and looking on the dn). 3) uidNumber and gidNumber can't be set back to '-1' once set to other value. This would be useful when admin changes its mind and want IPA to assign them. IIUC, there should be no validation in cn=staged user container. All validation should be done during stageuser-activate. 4) Support for deleted - stage workflow is still missing. But I'm unsure if we agreed to finish it now or later. 5) Twice deleting user with '--preserve' deletes him permanently. $ ipa user-add tuser --first Test --last User $ ipa user-del tuser --preserve $ ipa user-del tuser --preserve $ ipa user-find --preserved 0 (delete) users matched Number of entries returned 0 David - Original Message - From: thierry bordaz tbor...@redhat.com To: Jan Cholasta jchol...@redhat.com, David Kupka dku...@redhat.com Cc: freeipa-devel freeipa-devel@redhat.com Sent: Tuesday, May 12, 2015 5:05:29 PM Subject: Re: [Freeipa-devel] [PATCH] 0005 User life cycle: del/mod/find/show stageuser commands On 05/12/2015 02:17 PM, thierry bordaz wrote: On 05/05/2015 08:57 AM, Jan Cholasta wrote: Hi, Dne 28.4.2015 v 16:40 thierry bordaz napsal(a): On 04/28/2015 10:40 AM, David Kupka wrote: On 04/28/2015 10:28 AM, thierry bordaz wrote: On 04/28/2015 10:23 AM, David Kupka wrote: On 04/16/2015 01:00 PM, thierry bordaz wrote: Hello, Here is the next patch for User life cycle that introduces del/mod/find and show stageuser plugin commands. * -User Life Cycle (create containers and scoping DS plugins): *pushed* * 0001-User-Life-Cycle-Exclude-subtree-for-ipaUniqueID-gene.patch: *pushed* * 0002-User-life-cycle-stageuser-add-verb.patch: *pushed* * 0007-User-life-cycle-allows-MODRDN-from-ldap2.patch: *pushed* * 0003-User-life-cycle-new-stageuser-commands-del-mod-find-*under review *(this one)** * 0004-User-life-cycle-new-stageuser-commands-activate.patch * 0005-User-life-cycle-new-stageuser-commands-activate-prov.patch * 0006-User-life-cycle-user-del-supports-permanently-preser.patch * 0008-User-life-cycle-user-find-support-finding-delete-use.patch * 0009-User-life-cycle-support-of-user-undel.patch * 0010-User-life-cycle-DNA-DS-plugin-should-exclude-provisi.patch * 0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch * 0012-User-life-cycle-Create-stage-Admin-provisioning-acco.patch * 0013-User-life-cycle-Stage-Admin-permission-priviledge.patch Thanks thierry Hi Thierry, thanks for the patch, the code looks good to me but there is probably a bug in ACIs. After creating a stage user and setting password for him I can kinit as the stage user. I'm unable to login to the IPA client and id command for this stage user responds no such user but I can kinit and invoke ipa commands. Steps: 0. build freeipa with your patch 1. # ipa-server-install 2. $ kinit admin 3. $ ipa stageuser-add suser0 --first Stage --last User --password 4. $ kdestroy 5. $ kinit suser0 6. $ ipa user-find Actual: Prints out list of ipa users. Expected: kinit fails with suser0@... not found in Kerberos database Hi David, Thank you so much for having looked at this patch :-) You are right. The Staging users (as well as the Delete users) are not lockout in that patch. The patch 0011-User-life-cycle-lockout-provisioning-stage-and-delet.patch will take care of this. Do you prefer that I merged the two patches right now ? thanks thierry Hi Thierry, no, it is not necessary to merge the patches it's ok to have it separated. I'm not sure if the patch should be pushed now or rather wait and push it together with the others. I'm looking forward to next ULC patches from you. Hi David, Here are all the available patches. I also attach a test script that is a kind of regression tests that I am using. Thanks again thierry
Re: [Freeipa-devel] [PATCH 0322-0337] Fix mysterious failures in PTR record synchronization
On 15.5.2015 15:48, Tomas Hozza wrote: On 05/05/2015 05:24 PM, Petr Spacek wrote: Hello, Attached patch set is the best fix for https://fedorahosted.org/bind-dyndb-ldap/ticket/155 I was able to write. This patch set should fix vast majority of race conditions. Unfortunately it cannot be 100 % reliable without support for LDAP transactions. For convenience you can download the whole tree from https://github.com/pspacek/bind-dyndb-ldap/commits/t155.syncptr HEAD = da2552632f6ce67f1bb9d9b3cdd3e0a8e06ce9ea Enjoy. Hi. There is one unused variable after patch 325 Move SOA serial update functions to zone.c. - it looks like you forgot to remove: https://github.com/pspacek/bind-dyndb-ldap/blob/d616021d6665ebab97035efb687a88a4a139f636/src/ldap_helper.c#L3892 https://github.com/pspacek/bind-dyndb-ldap/blob/d616021d6665ebab97035efb687a88a4a139f636/src/ldap_helper.c#L4037 https://github.com/pspacek/bind-dyndb-ldap/blob/d616021d6665ebab97035efb687a88a4a139f636/src/ldap_helper.c#L4038 Other than that, patches look good. I tested them and reviewed from https://github.com/pspacek/bind-dyndb-ldap/commits/t155.syncptr ACK with the fix for unused variable. Fixed version was pushed to master branch: e36125eb594b0c71f6afe02bfc34de4cf4c19b94 SyncPTR: Read PTR record values from RBTDB instead of LDAP. 86ad1dd8363c55c579f29e2da0bf87aedc7fcc80 Split SyncPTR code into separate module. d430ca6ba685cf629f72466b1a17e8ed36a346a7 Move journal maintenance functions to zone.c. f24c80ac80b6f8eae2324123e79c73e0a72492f5 Move SOA serial update functions to zone.c. 7dee381afc752f8611ad7d91cb309b721b0097bd Move helper functions for diff manipulation to zone.c. a38479f9739f59fedb8c264c768b7d3044b3692c Move DEFAULT_TTL to header ldap_entry.h. 0aa9c851a71a68efa5342d6b492429d1d96a820b Return ISC_R_SUCCESS from rdataset_to_diff() to be consistent. caf4c85b2892b49e567e4464824d4bae5d73929e SyncPTR: Use database API for modifications to prevent race conditions. 4a6f694a5898bdcb90ca758e4521e5afa9c1759b Zone SOA serial functions now accept NULL output parameter new_serial. c42005a3b219879043b59c70372eaddbd3e9e72a SyncPTR: Bump SOA serial immediatelly during PTR synchronization. 56ec3b86a63709d6218852c69fce1dbda72e834b SyncPTR: Record PTR synchronization into zone journal to allow IXFR. e3b090403b7c9529b84647e0a31e03574dcb08b6 SyncPTR: Do update asynchronously to prevent race conditions. b56f558435fb608237cef0cf51595d1ccc09be67 Remove unused structure ldap_qresult. 1a36c36b69d490e48c1f04cfe85c064202989a3b SyncPTR: Improve logging. 41fabef959bd2ed08194c507271e41a26cdac8f4 SyncPTR: Do not return SERVFAIL if reverse zone does not exist. e35f51a752e06d500984faff934267d734e365aa SyncPTR: New PTR records inherit TTL value from respective A/ records. 1e8a8461c2a27e37046a47f22c7203ff1aa5d6ba Add includes to zone.c to improve compatibility with BIND 9.9.4. Thank you! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0033-0034] fix recent bugs introduced by letting httpd use file-based ccache
Dne 15.5.2015 v 16:16 Martin Babinsky napsal(a): These two patches fix two issues reported by David Kupka in most recent freeipa-master builds, which are caused by my previous patch 0031 provide a dedicated ccache file to httpd. Patch 0033 moves `clientcaches` and `krbcache` directories under a common `ipa/` subdir in Apache runtime dir (`/var/run/httpd`). This fixes a situation when both mod_auth_kerb and mod_auth_gssapi are installed together with IPA. The removal of the former Apache module removes also the `krbcache` directory, thus invalidating the ccache path in KRB5CCNAME. This of course causes spectacular explosions when calling RPC interface (aka always). Patch 0034 forces HTTPInstance to explicitly remove ccache specified in our `httpd.service` override during uninstall. This fixes an issue related to uninstall of an old IPA server and immediate install of new IPA server. In this case the old CCache is left in httpd runtime dir, causing Decrypt integrity check failed errors when connecting to RPC interface (Old tickets are being send to KDC having new Apache secret key). However, issuing 'kdestroy -A' as apache user is not enough, because systemd daemons use completely different isolated environments (and thus completely different KRB5CCNAME than apache user). That's why we have to explicitly remove ccache using 'kdestroy -c'. I would like to thank David for pointing out these issues. Don't forget to bump the version at the top of install/conf/ipa.conf. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0033-0034] fix recent bugs introduced by letting httpd use file-based ccache
On 05/15/2015 04:25 PM, Jan Cholasta wrote:
Dne 15.5.2015 v 16:16 Martin Babinsky napsal(a):
These two patches fix two issues reported by David Kupka in most recent
freeipa-master builds, which are caused by my previous patch 0031
provide a dedicated ccache file to httpd.
Patch 0033 moves `clientcaches` and `krbcache` directories under a
common `ipa/` subdir in Apache runtime dir (`/var/run/httpd`). This
fixes a situation when both mod_auth_kerb and mod_auth_gssapi are
installed together with IPA. The removal of the former Apache module
removes also the `krbcache` directory, thus invalidating the ccache path
in KRB5CCNAME.
This of course causes spectacular explosions when calling RPC interface
(aka always).
Patch 0034 forces HTTPInstance to explicitly remove ccache specified in
our `httpd.service` override during uninstall. This fixes an issue
related to uninstall of an old IPA server and immediate install of new
IPA server.
In this case the old CCache is left in httpd runtime dir, causing
Decrypt integrity check failed errors when connecting to RPC interface
(Old tickets are being send to KDC having new Apache secret key).
However, issuing 'kdestroy -A' as apache user is not enough, because
systemd daemons use completely different isolated environments (and thus
completely different KRB5CCNAME than apache user). That's why we have to
explicitly remove ccache using 'kdestroy -c'.
I would like to thank David for pointing out these issues.
Don't forget to bump the version at the top of install/conf/ipa.conf.
Attaching updated patch 0033 with the bumped version.
--
Martin^3 Babinsky
From a748e53fc0c1f56a81af5716cd7f04fe6c0b8649 Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Fri, 15 May 2015 15:37:05 +0200
Subject: [PATCH 1/2] move IPA-related http runtime directories to common
subdirectory
When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same
time, they use common directory for storing Apache ccache file. Uninstallation
of 'mod_auth_kerb' removes this directory leading to invalid CCache path for
httpd and authentication failure.
Using an IPA-specific directory for credential storage during apache runtime
avoids this issue.
---
freeipa.spec.in| 8 ++--
init/systemd/httpd.service | 2 +-
init/systemd/ipa.conf.tmpfiles | 4 +++-
install/conf/ipa.conf | 4 ++--
4 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 2bf14ef9e14f96b3100d45dd47d749b6bc3b4816..159d4cc3c0a5b775e5bed9a3cc853ee4a3b5a8e8 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -465,7 +465,9 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
mkdir -p %{buildroot}%{_localstatedir}/run/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
-install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/clientcaches
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/krbcache
mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
@@ -685,7 +687,9 @@ fi
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
-%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/clientcaches/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/krbcache/
# NOTE: systemd specific section
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa.service
diff --git a/init/systemd/httpd.service b/init/systemd/httpd.service
index ef1e6bfda06f1a1d703a174040f1f6e6ea0757c7..231f86f44808156e0eb20d67ef15bb7d19550e19 100644
--- a/init/systemd/httpd.service
+++ b/init/systemd/httpd.service
@@ -1,4 +1,4 @@
.include /usr/lib/systemd/system/httpd.service
[Service]
-Environment=KRB5CCNAME=/var/run/httpd/krbcache/krb5ccache
+Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles
index b4503cc673f3407421cd194091f5373ba204a483..6eab2621c18c9867d41b50afa2ebdee4dc46f308 100644
--- a/init/systemd/ipa.conf.tmpfiles
+++ b/init/systemd/ipa.conf.tmpfiles
@@ -1,3 +1,5 @@
d /var/run/ipa_memcached 0700 apache apache
d /var/run/ipa 0700 root root
-d /var/run/httpd/clientcaches 0700 apache apache
+d /var/run/httpd/ipa 0700 apache apache
+d /var/run/httpd/ipa/clientcaches 0700 apache apache
+d /var/run/httpd/ipa/krbcache 0700 apache apache
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index
