[Freeipa-devel] [PATCH 0368-0371] Support LDAP MODRDN for ordinary DNS records
Hello, this patchset implements support for MODRDN for ordinary records. As noted in ticket https://fedorahosted.org/bind-dyndb-ldap/ticket/123, we agreed yesterday that renaming zones is out of scope and seems unnecessarily complex. This patch set depends on 'metadb' branch. It is also available from: https://github.com/pspacek/bind-dyndb-ldap/tree/modrdn Thank you for your time! -- Petr^2 Spacek From 6bcb7490416c8a1815e4a637be906bf3e8936e33 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Tue, 19 May 2015 14:38:40 +0200 Subject: [PATCH] Support LDAP MODRDN for ordinary DNS records. Renaming of DNS zones and configuration objects is still not supported. https://fedorahosted.org/bind-dyndb-ldap/ticket/123 --- src/ldap_helper.c | 129 +- 1 file changed, 78 insertions(+), 51 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 8922141724c4351db9435fd73e91756d60606390..5ae774aba2c5e43c240fd9dfa639481ea7356778 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -3690,32 +3690,6 @@ update_zone(isc_task_t *task, isc_event_t *event) CHECK(ldap_parse_fwd_zoneentry(entry, inst)); } - /* This code is disabled because we don't have UUID-DN database yet. - if (SYNCREPL_MODDN(pevent-chgtype)) { - if (dn_to_dnsname(inst-mctx, pevent-prevdn, prevname, NULL) - == ISC_R_SUCCESS) { -CHECK(ldap_delete_zone(inst, pevent-prevdn, - ISC_TRUE, ISC_FALSE)); - } else { -log_debug(5, update_zone: old zone wasn't managed - by plugin, dn '%s', pevent-prevdn); - } - - // fill the cache with records from renamed zone // - if (objclass LDAP_ENTRYCLASS_MASTER) { -CHECK(ldap_query(inst, NULL, ldap_qresult_record, pevent-dn, - LDAP_SCOPE_ONELEVEL, attrs_record, 0, - (objectClass=idnsRecord))); - -for (entry_record = HEAD(ldap_qresult_record-ldap_entries); - entry_record != NULL; - entry_record = NEXT(entry_record, link)) { - - syncrepl_update(inst, entry_record, NULL); -} - } - } - */ cleanup: if (inst != NULL) { sync_concurr_limit_signal(inst-sctx); @@ -4047,11 +4021,23 @@ cleanup: return result; } +/** + * Create asynchronous ISC event to execute update_config()/zone()/record() + * in a task associated with affected DNS zone. + * + * @param[in,out] entryp (Possibly fake) LDAP entry to parse. + * @param[in] chgtype One of LDAP_SYNC_CAPI_ADD/MODIFY/DELETE. + * + * @pre entryp is valid LDAP entry with class, DNS names, DN, etc. + * + * @post entryp is NULL. + */ static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT -syncrepl_update(ldap_instance_t *inst, ldap_entry_t *entry, int chgtype) +syncrepl_update(ldap_instance_t *inst, ldap_entry_t **entryp, int chgtype) { isc_result_t result = ISC_R_SUCCESS; ldap_syncreplevent_t *pevent = NULL; + ldap_entry_t *entry = NULL; isc_event_t *wait_event = NULL; dns_name_t *zone_name = NULL; dns_zone_t *zone_ptr = NULL; @@ -4062,18 +4048,19 @@ syncrepl_update(ldap_instance_t *inst, ldap_entry_t *entry, int chgtype) isc_task_t *task = NULL; sync_state_t sync_state; + REQUIRE(entryp != NULL); + entry = *entryp; REQUIRE(entry-class != LDAP_ENTRYCLASS_NONE); - log_debug(20, syncrepl change type: /*none%d,*/ add%d, del%d, mod%d, /* moddn%d, */ - /* !SYNCREPL_ANY(chgtype), */ SYNCREPL_ADD(chgtype), - SYNCREPL_DEL(chgtype), SYNCREPL_MOD(chgtype)/*, SYNCREPL_MODDN(chgtype) */ ); + log_debug(20, syncrepl_update change type: add%d, del%d, mod%d, + SYNCREPL_ADD(chgtype), SYNCREPL_DEL(chgtype), + SYNCREPL_MOD(chgtype)); isc_mem_attach(inst-mctx, mctx); CHECKED_MEM_STRDUP(mctx, entry-dn, dn); CHECKED_MEM_STRDUP(mctx, inst-db_name, dbname); - if (entry-class LDAP_ENTRYCLASS_MASTER) zone_name = entry-fqdn; else @@ -4150,6 +4137,7 @@ syncrepl_update(ldap_instance_t *inst, ldap_entry_t *entry, int chgtype) pevent-entry = entry; wait_event = (isc_event_t *)pevent; isc_task_send(task, (isc_event_t **)pevent); + *entryp = NULL; /* event handler will deallocate the LDAP entry */ /* Lock syncrepl queue to prevent zone, config and resource records * from racing with each other. */ @@ -4172,7 +4160,7 @@ cleanup: isc_mem_free(mctx, dn); if (mctx != NULL) isc_mem_detach(mctx); - ldap_entry_destroy(inst-mctx, entry); + ldap_entry_destroy(inst-mctx, entryp); if (task != NULL) isc_task_detach(task); } @@ -4264,11 +4252,13 @@ int ldap_sync_search_entry ( ldap_sync_refresh_t phase ) { ldap_instance_t *inst = ls-ls_private; - ldap_entry_t *entry = NULL; + ldap_entry_t *old_entry = NULL; + ldap_entry_t *new_entry = NULL; isc_result_t result; metadb_node_t *node = NULL; isc_boolean_t mldap_open = ISC_FALSE; const char *ldap_base = NULL; + isc_boolean_t modrdn = ISC_FALSE; #ifdef RBTDB_DEBUG static unsigned int count = 0; @@ -4281,49 +4271,86 @@ int ldap_sync_search_entry ( mldap_open = ISC_TRUE;
Re: [Freeipa-devel] [PATCHES 0001-0007] Profile management
Dne 20.5.2015 v 07:56 Fraser Tweedale napsal(a): On Wed, May 20, 2015 at 07:40:44AM +0200, Jan Cholasta wrote: Dne 19.5.2015 v 13:50 Fraser Tweedale napsal(a): On Tue, May 19, 2015 at 10:52:49AM +0200, Jan Cholasta wrote: Dne 15.5.2015 v 14:27 Martin Basti napsal(a): On 15/05/15 10:24, Fraser Tweedale wrote: Please find attached latest patches including new patches: - 0006 enable LDAP-based profiles in Dogtag on upgrade - 0007 import included profiles during install or upgrade There is one TODO in the patches where some more code is needed on Dogtag side, and another TODO (not in patches) to migrate caIPAserviceCert profile to DefaultService profile and switch to using DefaultService for cerificate issuance (as the default profile). Jan and Martin, further comments to earlier reviews inline. Cheers, Fraser On Wed, May 13, 2015 at 10:39:55AM +0200, Jan Cholasta wrote: Dne 13.5.2015 v 10:36 Martin Basti napsal(a): On 13/05/15 10:06, Jan Cholasta wrote: Hi, Dne 5.5.2015 v 10:38 Martin Basti napsal(a): On 05/05/15 08:29, Fraser Tweedale wrote: On Mon, May 04, 2015 at 06:35:45PM +0200, Martin Basti wrote: On 04/05/15 15:36, Fraser Tweedale wrote: Hello, Please review the first cut of the 'certprofile' command and other changes associated with the Certificate Profiles feature[1]. Custom profiles can't be used yet because 'cert-request' has not been updated, but you can manage the profiles (find, show, import, modify, delete). There's a bit more work to do on profile management and a lot more to do for using profiles and sub-CAs. I am tracking my progress on etherpad[2] so if you are reviewing check there for the TODO list and some commentary. If you want to test: for f21, please use Dogtag from my copr[2]. For f22 the required version is in updates-testing (or my copr). In summary: this is not the whole feature, just the first functional part. Since it is my first experience developing in the IPA framework I want to get patches out so you can point out all the things I did wrong or overlooked, and I can fix them. Don't hold back :) [1] http://www.freeipa.org/page/V4/Certificate_Profiles [2] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress [3] http://copr.fedoraproject.org/coprs/ftweedal/freeipa/ Thank you for patches, I have no idea what kind of dogtag magic is happening there, but I have a few comments related to IPA: Thanks for reviewing, Martin. Comments inline. You are welcome, comments inline. Martin^2 Upgrade: 1) +config.set(CA, pki_profiles_in_ldap, True) IMO this will work only for new installations. For upgrade you may need to add this to ipa-upgradeconfig OK. 2) +dn: cn=certprofiles,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: certprofiles IMO this will work only for new installations. For upgrade you may need to add it into update file as well, with the 'default' keyword I don't understand about the 'default' keyword - can you expain this some more? In an upgrade file: dn: cn=certprofiles,cn=etc,$SUFFIX default:objectClass: nsContainer default:objectClass: top default:cn: certprofiles Maybe we should do what DNS does and have a container for CA specific stuff in the suffix: cn=ca,$SUFFIX. The container would be created only if CA is installed. Certificate profile container would then be cn=certprofiles,cn=ca,$SUFFIX. I haven't changed this for the current patchset. What are the implications / motivations for changing it. To have everything CA-specific in one place and created only when CA is installed. This is consistent with DNS, the other optional IPA component. OK, I'll change it. Sub-CA data and Certificate Identity Mapping settings could also be stored under there, when implemented. Yes, Sub-CAs should also be stored there, but certificate identity mappings should work even without CA installed, so they should be stored somewhere else, like cn=etc. That makes sense. 3) Your patch 0004 will work on new installations only. You may need to add that new step into ipa-upgradeconfig. Must be that step there during installation? If not you can create just one update file, which will be applied at the end of installation and during upgrade. This change must be made to the Dogtag directory (not IPA) - can an update file be used to do that? If not, is ipa-upgradeconfig the best place to make this change? If it is change in LDAP, you can use updatefile: dn: cn=aclResources,$SUFFIX add:resourceACLS: certServer.profile.configuration:read,modify:allow (read,modify) group=Certificate Manager Agents:Certificate Manager agents may modify (create/update/delete) and read profiles Please temporarily use my patch freeipa-mbasti-231-4, (which will be pushed soon) to avoid issues with CSV Note that this update should be done only if CA is installed. In that case, you must create update plugins. I would prefer a CAInstance method called during install and in ipa-upgradeconfig. So more
Re: [Freeipa-devel] [PATCH] Password vault
Dne 19.5.2015 v 16:40 Endi Sukma Dewata napsal(a): Before I send another patch I have some questions below. On 5/19/2015 3:27 AM, Jan Cholasta wrote: I changed the 'host vaults' to become 'service vaults'. The interface will look like this: $ ipa vault-find --service HTTP/server.example.com $ ipa vault-add test --service HTTP/server.example.com I also added user vaults: $ ipa vault-find --user testuser $ ipa vault-add test --user testuser Private vaults is a special case of user vaults where username=you. Host vaults can be added later once we define the use case. OK. I suppose you meant you're OK with not adding host vaults now? Yes. 4. The following code in get_dn() is incorrect: principal = getattr(context, 'principal') (name, realm) = split_principal(principal) name = name.split('/') if len(name) == 1: container_dn = DN(('cn', 'users'), container_dn) else: container_dn = DN(('cn', 'services'), container_dn) container_dn = DN(('cn', name[-1]), container_dn) A service does not have a private container like users (cn=username, cn=users, cn=vaults). The entry cn=name, cn=host, cn=services, cn=vaults is a service vault, not a container. The service vault is used by the admin to provide a secret for a service. I'm not sure what the behavior should be if a service is executing a vault command that uses a private container such as: $ ipa vault-add test Maybe it should just generate an error. Users, hosts and services are all user-like objects, is there a reason not to support private vaults for all of them? As mentioned above, it's not required in the design doc, but we can add it if there's a clear use case. I agree that at least for now we can change the service vault into a service container to store multiple service's private vaults. I don't really care about having a clear use case, I would prefer if the design was elegant enough to handle *all* the cases without any extra effort. The only way to know if the design will be future proof is if we have at least some idea how it will be used. Without that there is no guarantee. Host principals have this form: host/hostname@realm, so with the current code they will be considered a service and will have a service container. Do you want to add a new cn=hosts container just for hosts? Unless we have a specific reason (i.e. use case) I don't see a need to add specific code for hosts now, or at least until we get the core vault functionality working. The reason is consistency. Private vaults should be available for all identities, because anything else would be an arbitrary limitation (which is not elegant). If private vaults were available for all identities, we would need a container for host vaults. I'm not saying the container has to be added now, but there should at least be a check to reject requests when the authenticated identity is a host (i.e. context.principal.startswith('host/')). 5. In create_container() why do you need to reconstruct the container_dn on each invocation even though the value is fixed? container_dn = DN(self.container_dn, self.api.env.basedn) Because self.api may not necessarily be the same as ipalib.api. Under what scenario would that be a problem? When someone uses the plugin with a different API object than ipalib.api. The original code seems to be working fine with ipalib.api. The current best practice is to use self.api and *all* new plugin code should do that. If it is a problem, why do we still use ipalib.api to initialize container_dn vault class attribute? container_dn = api.env.container_vault Then in get_dn() we basically construct the container_dn variable with values from both self.api and ipalib.api: container_dn = DN(self.container_dn, self.api.env.basedn) When is the self.api actually initialized? Can we initialize the container_dn (or base_dn as in the original code) attribute immediately after that? Not yet, but this will be fixed in the future. (Also, container_dn is part of the LDAPObject API, unlike base_dn used in the original code.) Is there a ticket for this? I don't think there is a ticket for this particular issue. This change is not included. The code will now obtain the values from apilib.api.env at init time and store it in class attributes so it can be reused. container_dn = api.env.container_vault base_dn = DN(container_dn, api.env.basedn) Sorry, but no. Please just follow the best practice instead of trying to invent something new. This is not the right time and place to discuss this. We should be discussing the vault, not framework idiosyncracies. OK. Thanks for understanding. 6. The loop in create_container() is incorrect. Suppose we're creating a container cn=A, cn=B, suffix and the parent container cn=B, suffix doesn't exist yet. The first add_entry() invocation will fail as expected, but instead of adding the parent entry the whole method will fail. Right,
Re: [Freeipa-devel] [PATCHES 0001-0007] Profile management
On Tue, May 19, 2015 at 10:52:49AM +0200, Jan Cholasta wrote: Dne 15.5.2015 v 14:27 Martin Basti napsal(a): On 15/05/15 10:24, Fraser Tweedale wrote: Please find attached latest patches including new patches: - 0006 enable LDAP-based profiles in Dogtag on upgrade - 0007 import included profiles during install or upgrade There is one TODO in the patches where some more code is needed on Dogtag side, and another TODO (not in patches) to migrate caIPAserviceCert profile to DefaultService profile and switch to using DefaultService for cerificate issuance (as the default profile). Jan and Martin, further comments to earlier reviews inline. Cheers, Fraser On Wed, May 13, 2015 at 10:39:55AM +0200, Jan Cholasta wrote: Dne 13.5.2015 v 10:36 Martin Basti napsal(a): On 13/05/15 10:06, Jan Cholasta wrote: Hi, Dne 5.5.2015 v 10:38 Martin Basti napsal(a): On 05/05/15 08:29, Fraser Tweedale wrote: On Mon, May 04, 2015 at 06:35:45PM +0200, Martin Basti wrote: On 04/05/15 15:36, Fraser Tweedale wrote: Hello, Please review the first cut of the 'certprofile' command and other changes associated with the Certificate Profiles feature[1]. Custom profiles can't be used yet because 'cert-request' has not been updated, but you can manage the profiles (find, show, import, modify, delete). There's a bit more work to do on profile management and a lot more to do for using profiles and sub-CAs. I am tracking my progress on etherpad[2] so if you are reviewing check there for the TODO list and some commentary. If you want to test: for f21, please use Dogtag from my copr[2]. For f22 the required version is in updates-testing (or my copr). In summary: this is not the whole feature, just the first functional part. Since it is my first experience developing in the IPA framework I want to get patches out so you can point out all the things I did wrong or overlooked, and I can fix them. Don't hold back :) [1] http://www.freeipa.org/page/V4/Certificate_Profiles [2] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress [3] http://copr.fedoraproject.org/coprs/ftweedal/freeipa/ Thank you for patches, I have no idea what kind of dogtag magic is happening there, but I have a few comments related to IPA: Thanks for reviewing, Martin. Comments inline. You are welcome, comments inline. Martin^2 Upgrade: 1) +config.set(CA, pki_profiles_in_ldap, True) IMO this will work only for new installations. For upgrade you may need to add this to ipa-upgradeconfig OK. 2) +dn: cn=certprofiles,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: certprofiles IMO this will work only for new installations. For upgrade you may need to add it into update file as well, with the 'default' keyword I don't understand about the 'default' keyword - can you expain this some more? In an upgrade file: dn: cn=certprofiles,cn=etc,$SUFFIX default:objectClass: nsContainer default:objectClass: top default:cn: certprofiles Maybe we should do what DNS does and have a container for CA specific stuff in the suffix: cn=ca,$SUFFIX. The container would be created only if CA is installed. Certificate profile container would then be cn=certprofiles,cn=ca,$SUFFIX. I haven't changed this for the current patchset. What are the implications / motivations for changing it. To have everything CA-specific in one place and created only when CA is installed. This is consistent with DNS, the other optional IPA component. 3) Your patch 0004 will work on new installations only. You may need to add that new step into ipa-upgradeconfig. Must be that step there during installation? If not you can create just one update file, which will be applied at the end of installation and during upgrade. This change must be made to the Dogtag directory (not IPA) - can an update file be used to do that? If not, is ipa-upgradeconfig the best place to make this change? If it is change in LDAP, you can use updatefile: dn: cn=aclResources,$SUFFIX add:resourceACLS: certServer.profile.configuration:read,modify:allow (read,modify) group=Certificate Manager Agents:Certificate Manager agents may modify (create/update/delete) and read profiles Please temporarily use my patch freeipa-mbasti-231-4, (which will be pushed soon) to avoid issues with CSV Note that this update should be done only if CA is installed. In that case, you must create update plugins. I would prefer a CAInstance method called during install and in ipa-upgradeconfig. So more or less what Fraser already did, except the ipa-upgradeconfig part. Patch 0004 was updated and now has CAInstance method during install, and ipa-upgradeconfig method for upgrade. It would be better if you used the same CAInstance method both for install and upgrade, instead of duplicating the code. You shouldn't use the deprecated modify_s method of IPAdmin.
Re: [Freeipa-devel] IPAUpgrade.create_instance causing ipa-server-install failure
On 20/05/15 07:31, Fraser Tweedale wrote: I am experiencing ipa-server-install failure which seems to be caused by IPAUpgrade.__start_nowait() (upgradeinstance.py:174). It is claimed that the LDAP connection will wait for the (Unix) socket but it does not - instead it fails to connect. Did something chance recently that would cause the connction to not wait for the socket? For now I am working around it with a short sleep in __start_nowait. ipaserver-install.log sample beneath. Cheers, Fraser 2015-05-20T03:50:37Z DEBUG Upgrading IPA: 2015-05-20T03:50:37Z DEBUG [1/9]: stopping directory server 2015-05-20T03:50:37Z DEBUG Starting external process 2015-05-20T03:50:37Z DEBUG args='/bin/systemctl' 'stop' 'dirsrv@IPA-LOCAL.service' 2015-05-20T03:50:40Z DEBUG Process finished, return code=0 2015-05-20T03:50:40Z DEBUG stdout= 2015-05-20T03:50:40Z DEBUG stderr= 2015-05-20T03:50:40Z DEBUG duration: 3 seconds 2015-05-20T03:50:40Z DEBUG [2/9]: saving configuration 2015-05-20T03:50:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-05-20T03:50:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-05-20T03:50:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-05-20T03:50:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-05-20T03:50:40Z DEBUG duration: 0 seconds 2015-05-20T03:50:40Z DEBUG [3/9]: disabling listeners 2015-05-20T03:50:40Z DEBUG duration: 0 seconds 2015-05-20T03:50:40Z DEBUG [4/9]: enabling DS global lock 2015-05-20T03:50:40Z DEBUG duration: 0 seconds 2015-05-20T03:50:40Z DEBUG [5/9]: starting directory server 2015-05-20T03:50:40Z DEBUG Starting external process 2015-05-20T03:50:40Z DEBUG args='/bin/systemctl' 'start' 'dirsrv@IPA-LOCAL.service' 2015-05-20T03:50:40Z DEBUG Process finished, return code=0 2015-05-20T03:50:40Z DEBUG stdout= 2015-05-20T03:50:40Z DEBUG stderr= 2015-05-20T03:50:40Z DEBUG duration: 0 seconds 2015-05-20T03:50:40Z DEBUG [6/9]: upgrading server 2015-05-20T03:50:41Z DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'... 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseuser.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idviews.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py' 2015-05-20T03:50:41Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py'
Re: [Freeipa-devel] [PATCH] 832-850 Stage Users Web UI and its prerequisites
On 05/19/2015 07:22 PM, Petr Vobornik wrote: On 05/19/2015 05:34 PM, thierry bordaz wrote: On 05/15/2015 05:38 PM, David Kupka wrote: On 05/15/2015 12:34 PM, Petr Vobornik wrote: On 05/15/2015 10:59 AM, Petr Vobornik wrote: Stage User Web UI is actually just the last four patches(847-850). I expect that patch 848 - deleter dialog needs some adjustments (was discussed offline). The rest are prerequisites, namely: - update of patternfly - update navigation code to support multiple entities under one entity tree (it broke a memory feature/bug of the navigation) - support for facet tabs in sidebar Attaching new version of 847-1. The old version did not apply because I had also a new version of topology plugin UI (will be send later today) in my git tree. Hi! thanks for patches. Please note that I tested only functionality because I'm not familiar with WebUI internals. I tried your patch set together with Thierry's ULC patches and found following issues: 1) Missing all but 'Delete' actions in single stage user view. 'Enable', 'Disable', 'Unlock', 'Add OTP Token' and 'Rebuild auto membership ' actions are not relevant here. Fixed in patch 850-1. 2) Missing 'Restore' action in single preserve user view. Will be added later. 3) When deleting preserved user there are options to preserve or permanently delete user. This doesn't make sense and don't work. Preserved user is always permanently removed. Fixed in patch new patch 853 4) Action 'Delete' in single user view deletes the user without asking whether to 'preserve' or 'delete permanently'. Will be fixed later. *) I would prefer if the choice between 'preserve' and 'permanently delete' in delete dialog was done by directly clicking button not switching 'mode' radio button and then clicking 'delete'. Otherwise everything seems to work well. Hello, Petr this is looking very nice and easy to use. I am not an expert of the console, so I run the demo use case and was able to complete all the steps (being a stage adminitrator). The only remark I have is that when activating a stage user, the message mentions 'users' be the CLI actually supports only one user. Are you sure you want to activate selected users You can select multiple users and activate them in UI. It will call stageuser_activate for each user. Except that this is perfect for me. Thanks a lot thierry In this new patch set there are also new icons. Instead of http://fontawesome.io/icon/plus/ - restore action has http://fontawesome.io/icon/heart/ - activate action has http://fontawesome.io/icon/check/ There are also new icons which indicates user state(in page header) in stage user details page. - stage users have http://fontawesome.io/icon/wrench/ - preserved users have http://fontawesome.io/icon/trash-o/ Was agreed offline that just functionality review was OK for this patch set. Green light for the push was given on IRC. Pushed to master: * a4c0f780b727cc92a9b6fa21e42906a80f4f7d42 webui: update patternfly to v1.1.4 * 69bc4f4955c8ee0bdbeea5ca340a003c128e9a58 webui: rename IPA.user_* to IPA.user.* * c352616ac9fbb1685adcbe8834143b24f6e8b5d4 webui: declare search command options in search facet * de374a0d3a1147a650b63bb5c267a857fba015dd webui: register construction spec based on existing spec * ae62bd6914dcdd24667dc1ff149413d9a7adc017 webui: entity facets in facet registry * 2be8eeb04f08cb51a25651794a2f356a2a7b499e webui: entity menu items navigate to main entity facet * 6bcb90ef36f7400e9f1eb197421134d5650c39fe webui: prefer entity fallback in menu item select * 8f6013952061099fff4ec9b8784fc1ee91828c4e webui: navigation: do not remember selected childs of menu item * 6a2b486e500b62abe7ef14e4f34c945726f3256b webui: navigation: unique names on entity facet menu items * 17aafc36b4c94cffa8427c8f4b2aef2292bba40d webui: metadata validator min and max value overrides * 3c2a8b408ec1af284af0ebe218832f3fab85c008 webui: custom facet groups in a facet * 435f9331c633296d72160de1e25bbdc77a81c75e webui: facet groups widget * 8d8b56d135ad05fbfee35fb88618ce8c5498fd68 webui: allow to replace facet tabs with sidebar * cae2df274a9ba92a4fc8db0259811c1755c648e6 webui: allow to hide facet tabs or sidebar * bf7ee6eeecd71ffeb4740a440fd237a6fac4793f webui: facet policies for all facets * 14525598f97f57d165682247ef7f5cf63f810be5 webui: stageuser plugin * 64e87d5e34f646f0de5b0b310ccaf02cbb119a2b webui: extend user deleter dialog with --permanent and --preserve options * 52647285f6d286c079090b5bff21f5e423076897 webui: update stageuser/user pages based on action in diffrent user search page * 99d282d38d0c847ebb544140edd49d6572f06cb0 webui: stageusers, display page elements based on user state * 7ddcff3ef71a1d4254d291bdab99075f2cd8f205 webui: prefer search facet's deleter dialog -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:
Re: [Freeipa-devel] [UPSTREAM_FAILURES] Latest changes affect freeipa builds and client configuration
Hi Martin, On 05/19/2015 06:35 PM, Martin Basti wrote: On 19/05/15 17:21, Oleg Fayans wrote: Dear colleagues I would like to notify you, that: 1. some of the recent changes in the upstream repo have broken the freeipa-client configuration. The symptoms are as follows: at some point during ipa-server-install the process fails with the following error: Restarting the web server Configuration of client side components failed! ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'myhome.net' '--server' 'testmaster.myhome.net' '--realm' 'MYHOME.NET' '--hostname' 'testmaster.myhome.net'' returned non-zero exit status 1 Looking at the ipaclient-install.log I could tell that the client was unable to authorize with the freshly installed master (kerberos issue?) I've attached the corresponding logs together with the session transcript of ipa-server-install command. This issue is observed since last Thursday at least. 2. Today the master branch fails to build at all with the following exception: cd install; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=/usr/lib; fi ./make-lint === Errors were found during the static code check. If you are certain that any of the reported errors are false positives, please mark them in the source code according to the pylint documentation. === * Module ipa-server-install install/tools/ipa-server-install:955: [E1103(maybe-no-member), main] Instance of 'bool' has no 'lower' member (but some types could not be inferred)) install/tools/ipa-server-install:955: [E1103(maybe-no-member), main] Instance of 'int' has no 'lower' member (but some types could not be inferred)) Makefile:119: recipe for target 'lint' failed Just wanted to inform you. This lint warning are only on F21. Now I just successfully build master on F22. I will send a patch to fix F21. Should I also check f20? Is there a convention as on which versions of fedora the code should be able to build successfully? The same for run: currently we have only f21 slaves for upstream tests. Should we probably run a limited subset of tests on some other platforms? -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [UPSTREAM_FAILURES] Latest changes affect freeipa builds and client configuration
On 05/20/2015 10:13 AM, Oleg Fayans wrote: Hi Martin, On 05/19/2015 06:35 PM, Martin Basti wrote: On 19/05/15 17:21, Oleg Fayans wrote: Dear colleagues I would like to notify you, that: 1. some of the recent changes in the upstream repo have broken the freeipa-client configuration. The symptoms are as follows: at some point during ipa-server-install the process fails with the following error: Restarting the web server Configuration of client side components failed! ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'myhome.net' '--server' 'testmaster.myhome.net' '--realm' 'MYHOME.NET' '--hostname' 'testmaster.myhome.net'' returned non-zero exit status 1 Looking at the ipaclient-install.log I could tell that the client was unable to authorize with the freshly installed master (kerberos issue?) I've attached the corresponding logs together with the session transcript of ipa-server-install command. This issue is observed since last Thursday at least. 2. Today the master branch fails to build at all with the following exception: cd install; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=/usr/lib; fi ./make-lint === Errors were found during the static code check. If you are certain that any of the reported errors are false positives, please mark them in the source code according to the pylint documentation. === * Module ipa-server-install install/tools/ipa-server-install:955: [E1103(maybe-no-member), main] Instance of 'bool' has no 'lower' member (but some types could not be inferred)) install/tools/ipa-server-install:955: [E1103(maybe-no-member), main] Instance of 'int' has no 'lower' member (but some types could not be inferred)) Makefile:119: recipe for target 'lint' failed Just wanted to inform you. This lint warning are only on F21. Now I just successfully build master on F22. I will send a patch to fix F21. Should I also check f20? Is there a convention as on which versions of fedora the code should be able to build successfully? The same for run: currently we have only f21 slaves for upstream tests. Should we probably run a limited subset of tests on some other platforms? I don't think f20 is necessary. It will be eol soon. The convention is fedora versions with provided COPR repos. It would be good to run master builds on F21 and F22. current fedora version - git branch table is something like: master f21, f22. 4-1 f20, f21, f22 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0005 User life cycle: del/mod/find/show stageuser commands
Dne 18.5.2015 v 10:33 thierry bordaz napsal(a): On 05/15/2015 04:44 PM, David Kupka wrote: Hello Thierry, thanks for the patch set. Overall functionality of ULC feature looks good to me and is definitely alpha ready. I found following issues but don't insist on fixing it right now: 1) When stageuser-activate fails due to already existent active/deleted user. DN is show instead of user name that's used in other commands (user-add, stageuser-add). $ ipa user-add tuser --first Test --last User $ ipa stageuser-add tuser --first Test --last User $ ipa stageuser-activate tuser ipa: ERROR: Active user uid=tuser,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com already exists Hi David, Jan, Thanks you so much for all those tests and feedback. I agree, some minor bugs can be fixed separatly from this main patches. You are right, It should return the user ID not the DN. 2) According to the design there should be '--only-delete' and '--also-delete' options for user-find command instead there is '--preserved' option. Honza proposed adding virtual boolean attribute 'deleted' to user entry and filter on it. The 'deleted' attribute would be useful also in user-show where is no way to tell if the displayed user is active or deleted. (Except running with --all and looking on the dn). Yes a bit late to resynch the design. The final option is 'preserved' for user-find and 'preserve' for user-del. '--only-delete' or 'also-delete' are old name that I need to replace in the design. About the 'deleted' attribute, do you think adding a DS cos virtual attribute ? See the attached patch. 3) uidNumber and gidNumber can't be set back to '-1' once set to other value. This would be useful when admin changes its mind and want IPA to assign them. IIUC, there should be no validation in cn=staged user container. All validation should be done during stageuser-activate. Yes that comes from user plugin that enforce the number to be 0. That is a good point giving the ability to reset uidNumber/gidNumber. I will check if it is possible, how (give a value or an option to reset), and also if it would not create other issue. 4) Support for deleted - stage workflow is still missing. But I'm unsure if we agreed to finish it now or later. Yes thanks 5) Twice deleting user with '--preserve' deletes him permanently. $ ipa user-add tuser --first Test --last User $ ipa user-del tuser --preserve $ ipa user-del tuser --preserve $ ipa user-find --preserved 0 (delete) users matched Number of entries returned 0 Deleting a deleted (preserved) entry, should permanently remove the entry. Now if the second time the preserve option is present, it makes sense to not delete it. BTW: I might be stating the obvious here, but it would be better to use one boolean parameter rather than two mutually exclusive flags in user-del. thanks theirry -- Jan Cholasta From 7151ebe30cac7877b31c3a682730ff3c63561e9f Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 20 May 2015 08:12:07 + Subject: [PATCH] User life cycle: provide preserved user virtual attribute https://fedorahosted.org/freeipa/ticket/3813 --- API.txt| 2 +- VERSION| 4 +-- ipalib/plugins/user.py | 74 ++ 3 files changed, 47 insertions(+), 33 deletions(-) diff --git a/API.txt b/API.txt index 0808f3c..37eba3f 100644 --- a/API.txt +++ b/API.txt @@ -4611,7 +4611,7 @@ option: Str('pager', attribute=True, autofill=False, cli_name='pager', multivalu option: Flag('pkey_only?', autofill=True, default=False) option: Str('postalcode', attribute=True, autofill=False, cli_name='postalcode', multivalue=False, query=True, required=False) option: Str('preferredlanguage', attribute=True, autofill=False, cli_name='preferredlanguage', multivalue=False, pattern='^(([a-zA-Z]{1,8}(-[a-zA-Z]{1,8})?(;q\\=((0(\\.[0-9]{0,3})?)|(1(\\.0{0,3})?)))?(\\s*,\\s*[a-zA-Z]{1,8}(-[a-zA-Z]{1,8})?(;q\\=((0(\\.[0-9]{0,3})?)|(1(\\.0{0,3})?)))?)*)|(\\*))$', query=True, required=False) -option: Flag('preserved?', autofill=True, cli_name='preserved', default=False) +option: Bool('preserved', attribute=False, autofill=False, cli_name='preserved', default=False, multivalue=False, query=True, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Int('sizelimit?', autofill=False, minvalue=0) option: Str('sn', attribute=True, autofill=False, cli_name='last', multivalue=False, query=True, required=False) diff --git a/VERSION b/VERSION index c207558..40aa3a6 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=118 -# Last change:
Re: [Freeipa-devel] [UPSTREAM_FAILURES] Latest changes affect freeipa builds and client configuration
Hi Martin, Thank you! On 05/19/2015 05:42 PM, Martin Babinsky wrote: Hello Oleg, On 05/19/2015 05:21 PM, Oleg Fayans wrote: Dear colleagues I would like to notify you, that: 1. some of the recent changes in the upstream repo have broken the freeipa-client configuration. The symptoms are as follows: at some point during ipa-server-install the process fails with the following error: Restarting the web server Configuration of client side components failed! ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'myhome.net' '--server' 'testmaster.myhome.net' '--realm' 'MYHOME.NET' '--hostname' 'testmaster.myhome.net'' returned non-zero exit status 1 Looking at the ipaclient-install.log I could tell that the client was unable to authorize with the freshly installed master (kerberos issue?) I've attached the corresponding logs together with the session transcript of ipa-server-install command. This issue is observed since last Thursday at least. This error (and others of similar nature) should be fixed by the following commits: 7ff7b1f533cc10c44acf6020b545b253de1ad37b * move IPA-related http runtime directories to common subdirectory 5a741b614f39a148d849877e743200de5a7302db * explicitly destroy httpd service ccache file during httpinstance removal -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [TEST PLAN] User lifecycle plugin
On 05/19/2015 05:54 PM, thierry bordaz wrote: On 05/13/2015 05:54 PM, Martin Basti wrote: On 13/05/15 17:44, David Kupka wrote: On 05/13/2015 02:57 PM, Lenka Ryznarova wrote: Hi, I've prepared test plan design for User Lifecycle Plugin - [1]. Please review and let me know if you have any comments on that. Thanks, Lenka [1] http://www.freeipa.org/page/V4/User_Life-Cycle_Management/Test_Plan Hi, thanks for sharing the test plan. I've quickly looked at it and have just 2 notes: 1) please add Verify that specific GID number of a staged entry is preserved after activation 2) In a block of tests Try activating staged entry with every-possible-attribute please add a activation tests. It should be possible to add/modify the attributes in staging are freely all the check must be applied when the user is activated. Hello, following tests are out of scope of API tests, but would be nice to have: * test to make sure the staged/deleted user is unable to kinit * opposite case the reactivated user is able to kinit (if this case is valid) * ACI tests: to make sure only proper roles can manipulate with staged users. Hello Lenka, This is looking as a very good set of tests. If you have time, you may also add those tests: * try do a simple bind with a stage/delete user * option only-delete, also-delete and --deleted are deprecated.. sorry the design is not up-to-date, now it is --preserved flag * Run the tests as admin +1 for above * Run the tests as a stageadm (member of 'User administrator') I would not push on this for version 1, IIRC we still miss the infrastructure to easily run tests like this. But +1 for the intent. * Try to update a stageuser with invalid uid/gidnumber (0 , or string) * Check that activated and undelete users are member of ipausers * Being authenticated with a newly activated user, check you have limited access to entries (only modify yourself) * Try to add (ldapadd) an entry directly in delete container, should not be allowed even for admin. * Create a user that is member of a 'system provisioning' role. 'system provisioning' role has the 'Stage user provisioning' priviledge. This user should only be allow to add 'stage' user (no read, delete, mod) I quickly checked the test case, I think it misses some of the basic test cases: - Add user, add him as a member of a custom group. Delete/preserve the user, check that he is no longer a member of that custom group - Add staged user via LDAP directly as this is the primary use case. Then try to activate it. The user may have different/minimal formats (more minimal than with stageuser-add), see design for examples. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [TEST PLAN] User lifecycle plugin
On 05/20/2015 10:38 AM, Martin Kosek wrote: On 05/19/2015 05:54 PM, thierry bordaz wrote: On 05/13/2015 05:54 PM, Martin Basti wrote: On 13/05/15 17:44, David Kupka wrote: On 05/13/2015 02:57 PM, Lenka Ryznarova wrote: Hi, I've prepared test plan design for User Lifecycle Plugin - [1]. Please review and let me know if you have any comments on that. Thanks, Lenka [1] http://www.freeipa.org/page/V4/User_Life-Cycle_Management/Test_Plan Hi, thanks for sharing the test plan. I've quickly looked at it and have just 2 notes: 1) please add Verify that specific GID number of a staged entry is preserved after activation 2) In a block of tests Try activating staged entry with every-possible-attribute please add a activation tests. It should be possible to add/modify the attributes in staging are freely all the check must be applied when the user is activated. Hello, following tests are out of scope of API tests, but would be nice to have: * test to make sure the staged/deleted user is unable to kinit * opposite case the reactivated user is able to kinit (if this case is valid) * ACI tests: to make sure only proper roles can manipulate with staged users. Hello Lenka, This is looking as a very good set of tests. If you have time, you may also add those tests: * try do a simple bind with a stage/delete user * option only-delete, also-delete and --deleted are deprecated.. sorry the design is not up-to-date, now it is --preserved flag * Run the tests as admin +1 for above * Run the tests as a stageadm (member of 'User administrator') I would not push on this for version 1, IIRC we still miss the infrastructure to easily run tests like this. But +1 for the intent. If test infrastructure require 'admin', no problem. But I usually simply do the following commands before running the ULC CLI tests. (echo hello;echo hello) | ipa user-add --first=stage --last=administrator stageadm --password ipa role-add-member User Administrator --users=stageadm (echo hello;echo Secret123;echo Secret123) | kinit stageadm * Try to update a stageuser with invalid uid/gidnumber (0 , or string) * Check that activated and undelete users are member of ipausers * Being authenticated with a newly activated user, check you have limited access to entries (only modify yourself) * Try to add (ldapadd) an entry directly in delete container, should not be allowed even for admin. * Create a user that is member of a 'system provisioning' role. 'system provisioning' role has the 'Stage user provisioning' priviledge. This user should only be allow to add 'stage' user (no read, delete, mod) I quickly checked the test case, I think it misses some of the basic test cases: - Add user, add him as a member of a custom group. Delete/preserve the user, check that he is no longer a member of that custom group - Add staged user via LDAP directly as this is the primary use case. Then try to activate it. The user may have different/minimal formats (more minimal than with stageuser-add), see design for examples. +1 Yes I forgot the DS plugins (uniqueness, ref. int., memberof). uniqueness is scoping Active/Delete user (uid and ipaUniqueID). referential integrity scopes Active user for (member, manager, managedby, secretary, uniquemember...), so preserving a user should update those attributes. memberof scopes Active user, so preserving a user should update its memberof values -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 830 webui: fix empty table border in Firefox
On 05/19/2015 06:01 PM, Martin Babinsky wrote: On 05/15/2015 11:01 AM, Petr Vobornik wrote: Firefox suffers from: https://bugzilla.mozilla.org/show_bug.cgi?id=409254 This is a workaround to fix it. ACK Pushed to master: 9b5655607d1a777006721f12fc61de122e3ea4d6 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 851-852 webui: datetime widget with datepicker
On 05/19/2015 06:01 PM, Martin Babinsky wrote: On 05/18/2015 03:40 PM, Petr Vobornik wrote: Datetime widget was transform from a simple text input to 3 separate inputs: - date with bootstrap-datepicker - hour - minute e.g.: Validity end[ 2015-05-18 ] [23]:[01] UTC Vendor[ abc] Editation of seconds is not supported. https://fedorahosted.org/freeipa/ticket/4347 Works well for me. I would have only a small nitpick that it would be nice if the current date was highlighted in the datepicker widget for better orientation. This feature[1] was enabled. Otherwise ACK. pushed to master: * 9e3320403ae1bb34bbc2a96add188294ccfeb997 webui: add boostrap-datepicker files * 80251e772bf48219abc77b507c4cab6d0127c7b6 webui: datetime widget with datepicker [1] http://bootstrap-datepicker.readthedocs.org/en/latest/options.html#todayhighlight -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0251] Fix uniqueness: exclude compat tree from uid uniquness plugin
Enforcing uniqueness for uid attribute prevent to move users to delete users subtree. Patch attached. -- Martin Basti From 1445d6adaae9844c6f7f51e46e357dc9bfd8741b Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 20 May 2015 14:51:09 +0200 Subject: [PATCH] Uid uniqueness: fix: exclude compat tree from uniqueness Without this commit it is not possible to move user to staged area. --- install/updates/10-uniqueness.update | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update index dd8ec3a752f857cecc4e1b71cc3893a7497c4338..050bfd55ec2e6a09c44700ae40757ee1d72c136f 100644 --- a/install/updates/10-uniqueness.update +++ b/install/updates/10-uniqueness.update @@ -60,6 +60,7 @@ default:nsslapd-pluginType: preoperation default:nsslapd-pluginEnabled: on default:uniqueness-attribute-name: uid default:uniqueness-subtrees: $SUFFIX +default:uniqueness-exclude-subtrees: cn=compat,$SUFFIX default:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX default:uniqueness-across-all-subtrees: on default:uniqueness-subtree-entries-oc: posixAccount @@ -71,6 +72,7 @@ default:nsslapd-pluginDescription: Enforce unique attribute values # uid uniqueness scopes Active/Delete containers dn: cn=uid uniqueness,cn=plugins,cn=config +add:uniqueness-exclude-subtrees: cn=compat,$SUFFIX add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX remove:uniqueness-across-all-subtrees: off add:uniqueness-across-all-subtrees: on -- 2.1.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 829 webui: option to not create user private group
On 05/13/2015 01:08 PM, Martin Basti wrote: On 12/05/15 17:58, Petr Vobornik wrote: Web UI was not able to create a user without a private group. New field added to user adder dialog to allow that. https://fedorahosted.org/freeipa/ticket/4986 ACK Pushed to master: 2361ac11ad15dcdceb1dd82ade66b7562b537a0a -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] manage replication topology in the shared tree
On 05/20/2015 02:52 PM, Oleg Fayans wrote: Is this patch to be applied on top of the vanilla upstream tree, or does it require your previous patches applied before? it requires the install (0005) and ipa-command (0006) patch as well, submitted on 05/12 On 05/19/2015 02:16 PM, Ludwig Krispenz wrote: Hi, here is the latest patch for the plugin part, trying to address all problems found in the review Regards, Ludwig PS if you want you can get a separate diff top the last version On 05/12/2015 08:33 AM, Ludwig Krispenz wrote: Hi, I did split the patches, for easier review and to share work on it. The attachment contains 4 patches: - the ds plugin part as submitted for review - the changes to the ds plugin part done after review (not complete yet) - the ipa framework part (including Petr's improvements) - the install related part Regards, Ludwig On 04/21/2015 01:09 PM, Petr Vobornik wrote: On 04/21/2015 12:53 PM, Petr Vobornik wrote: On 04/13/2015 10:56 AM, Ludwig Krispenz wrote: Hi, in the attachment you find the latest state of the topology plugin, it implements what is defined in the design page: http://www.freeipa.org/page/V4/Manage_replication_topology (which is also waiting for a reviewer) It contains the plugin itself and a core of ipa commands to manage a topology. to be really applicable, some work outside is required, eg the management of the domain level and a decision where the binddn group should be maintained. Thanks, Ludwig I've looked at the python part, mostly because I want to start with POC of Web UI for topology. topology.py is clearly still a work in progress. I've reflected following comments into a patch to speed things up. What's in the patch: 1. git am complains about trailing whitespaces 2. pep8 check produces quite a lot of issues. New code should be almost with any (`E501 line too long` is not a hard rule) `git diff HEAD~1 -U0 | pep8 --diff` 3. some typos 4. A lot of unused imports 5. Option name --sname for 'Segment identifier' is not very friendly. I don't see any examples of command options in the design notes. 6. NO_UPG_MAGIC - leftover from other plugin? 7. suffix object has labels from segment 8. IPA framework has a support for nested object. Key is setting `parent_object = 'topologysuffix'` in topologysegment object. 9. repl_agmt_attrs could be in topologysegment takes_params. 10. missing various CRUD commands like topologysuffix-find and topologysuffix-show commands. Whats missing, not fixed: 1. last 2 lines of VERSION file are not updated 2. Mixed terminology. Somewhere is used suffix and somewhere replication area or just area. 3. Validation - suffix should check for dn - existence of both ends of a segment 4. print of segments in suffix-show needs to be improved or removed To discuss: a) Do params in topologysegment have to have a maxlength set? b) Terminology has to be united. Segments are nested in suffix but sometimes are called areas and suffix is 'the suffix'. User might be confused. E.g. shouldn't the object be named a topologyarea instead of topologysuffix? c) I've added all missing CRUD commands. Are there any which we don't want there, or want to restrict them. E.g. I can imagine that deleting a suffix should be prevented if it contains any segments (or it has to be forced (--force option)) d) Do we want to print segments in suffix-show? e) Mainly for Honza: I've added --show-segments option to suffix-show which defaults to True. I don't like the behavior of CLI, which asks to confirm the value all the time. My intention was to have it there by default, but also allow to disable it by --show-segments=False. I don't want to add it as Flag (--hide-segments) since it restricts versatility. I would like to see an optional flag which would be filled by default value if not explicitly defined and CLI would not ask for the option value. Also it would be better to split the work into more patches. E.g. DS plugin, installation, python plugin. So ds plugin review could be separated from the python part. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0035] do not check for directory manager password during KRA uninstall
On 19/05/15 20:14, Martin Babinsky wrote: On 05/19/2015 05:55 PM, Martin Basti wrote: On 19/05/15 16:41, Martin Basti wrote: On 19/05/15 16:19, Martin Babinsky wrote: On 05/19/2015 01:17 PM, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5028 updated patch attached Thanks. ACK NACK, lint failed Attaching patch that passes lint. ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0035] do not check for directory manager password during KRA uninstall
Dne 20.5.2015 v 15:07 Martin Basti napsal(a): On 19/05/15 20:14, Martin Babinsky wrote: On 05/19/2015 05:55 PM, Martin Basti wrote: On 19/05/15 16:41, Martin Basti wrote: On 19/05/15 16:19, Martin Babinsky wrote: On 05/19/2015 01:17 PM, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5028 updated patch attached Thanks. ACK NACK, lint failed Attaching patch that passes lint. ACK Pushed to master: 9d8ac395c00e48c95f8fdccbc05d43dd144f82ad -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] manage replication topology in the shared tree
Is this patch to be applied on top of the vanilla upstream tree, or does it require your previous patches applied before? On 05/19/2015 02:16 PM, Ludwig Krispenz wrote: Hi, here is the latest patch for the plugin part, trying to address all problems found in the review Regards, Ludwig PS if you want you can get a separate diff top the last version On 05/12/2015 08:33 AM, Ludwig Krispenz wrote: Hi, I did split the patches, for easier review and to share work on it. The attachment contains 4 patches: - the ds plugin part as submitted for review - the changes to the ds plugin part done after review (not complete yet) - the ipa framework part (including Petr's improvements) - the install related part Regards, Ludwig On 04/21/2015 01:09 PM, Petr Vobornik wrote: On 04/21/2015 12:53 PM, Petr Vobornik wrote: On 04/13/2015 10:56 AM, Ludwig Krispenz wrote: Hi, in the attachment you find the latest state of the topology plugin, it implements what is defined in the design page: http://www.freeipa.org/page/V4/Manage_replication_topology (which is also waiting for a reviewer) It contains the plugin itself and a core of ipa commands to manage a topology. to be really applicable, some work outside is required, eg the management of the domain level and a decision where the binddn group should be maintained. Thanks, Ludwig I've looked at the python part, mostly because I want to start with POC of Web UI for topology. topology.py is clearly still a work in progress. I've reflected following comments into a patch to speed things up. What's in the patch: 1. git am complains about trailing whitespaces 2. pep8 check produces quite a lot of issues. New code should be almost with any (`E501 line too long` is not a hard rule) `git diff HEAD~1 -U0 | pep8 --diff` 3. some typos 4. A lot of unused imports 5. Option name --sname for 'Segment identifier' is not very friendly. I don't see any examples of command options in the design notes. 6. NO_UPG_MAGIC - leftover from other plugin? 7. suffix object has labels from segment 8. IPA framework has a support for nested object. Key is setting `parent_object = 'topologysuffix'` in topologysegment object. 9. repl_agmt_attrs could be in topologysegment takes_params. 10. missing various CRUD commands like topologysuffix-find and topologysuffix-show commands. Whats missing, not fixed: 1. last 2 lines of VERSION file are not updated 2. Mixed terminology. Somewhere is used suffix and somewhere replication area or just area. 3. Validation - suffix should check for dn - existence of both ends of a segment 4. print of segments in suffix-show needs to be improved or removed To discuss: a) Do params in topologysegment have to have a maxlength set? b) Terminology has to be united. Segments are nested in suffix but sometimes are called areas and suffix is 'the suffix'. User might be confused. E.g. shouldn't the object be named a topologyarea instead of topologysuffix? c) I've added all missing CRUD commands. Are there any which we don't want there, or want to restrict them. E.g. I can imagine that deleting a suffix should be prevented if it contains any segments (or it has to be forced (--force option)) d) Do we want to print segments in suffix-show? e) Mainly for Honza: I've added --show-segments option to suffix-show which defaults to True. I don't like the behavior of CLI, which asks to confirm the value all the time. My intention was to have it there by default, but also allow to disable it by --show-segments=False. I don't want to add it as Flag (--hide-segments) since it restricts versatility. I would like to see an optional flag which would be filled by default value if not explicitly defined and CLI would not ask for the option value. Also it would be better to split the work into more patches. E.g. DS plugin, installation, python plugin. So ds plugin review could be separated from the python part. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] manage replication topology in the shared tree
On 05/20/2015 02:58 PM, Ludwig Krispenz wrote: On 05/20/2015 02:52 PM, Oleg Fayans wrote: Is this patch to be applied on top of the vanilla upstream tree, or does it require your previous patches applied before? it requires the install (0005) and ipa-command (0006) patch as well, submitted on 05/12 Patch 0005 can't be applied on top of the new patch 3. Both patches contains adding of 70topology.ldif. Also please clear all trailing whitespaces from patch 3. $ git am freeipa-lkrispen-0003-plugin-part-manage-replication-topology-in-the-shaer.patch Applying: plugin part - manage replication topology in the shaerd tree /home/somebody/freeipa/.git/rebase-apply/patch:607: trailing whitespace. /home/somebody/freeipa/.git/rebase-apply/patch:740: trailing whitespace. * find the attrtype and return the corresponding /home/somebody/freeipa/.git/rebase-apply/patch:742: trailing whitespace. */ /home/somebody/freeipa/.git/rebase-apply/patch:745: trailing whitespace. /* attr is handling specific direction, /home/somebody/freeipa/.git/rebase-apply/patch:772: trailing whitespace. /* two static data structures to hold the warning: squelched 125 whitespace errors warning: 130 lines add whitespace errors. On 05/19/2015 02:16 PM, Ludwig Krispenz wrote: Hi, here is the latest patch for the plugin part, trying to address all problems found in the review Regards, Ludwig PS if you want you can get a separate diff top the last version On 05/12/2015 08:33 AM, Ludwig Krispenz wrote: Hi, I did split the patches, for easier review and to share work on it. The attachment contains 4 patches: - the ds plugin part as submitted for review - the changes to the ds plugin part done after review (not complete yet) - the ipa framework part (including Petr's improvements) - the install related part Regards, Ludwig On 04/21/2015 01:09 PM, Petr Vobornik wrote: On 04/21/2015 12:53 PM, Petr Vobornik wrote: On 04/13/2015 10:56 AM, Ludwig Krispenz wrote: Hi, in the attachment you find the latest state of the topology plugin, it implements what is defined in the design page: http://www.freeipa.org/page/V4/Manage_replication_topology (which is also waiting for a reviewer) It contains the plugin itself and a core of ipa commands to manage a topology. to be really applicable, some work outside is required, eg the management of the domain level and a decision where the binddn group should be maintained. Thanks, Ludwig I've looked at the python part, mostly because I want to start with POC of Web UI for topology. topology.py is clearly still a work in progress. I've reflected following comments into a patch to speed things up. What's in the patch: 1. git am complains about trailing whitespaces 2. pep8 check produces quite a lot of issues. New code should be almost with any (`E501 line too long` is not a hard rule) `git diff HEAD~1 -U0 | pep8 --diff` 3. some typos 4. A lot of unused imports 5. Option name --sname for 'Segment identifier' is not very friendly. I don't see any examples of command options in the design notes. 6. NO_UPG_MAGIC - leftover from other plugin? 7. suffix object has labels from segment 8. IPA framework has a support for nested object. Key is setting `parent_object = 'topologysuffix'` in topologysegment object. 9. repl_agmt_attrs could be in topologysegment takes_params. 10. missing various CRUD commands like topologysuffix-find and topologysuffix-show commands. Whats missing, not fixed: 1. last 2 lines of VERSION file are not updated 2. Mixed terminology. Somewhere is used suffix and somewhere replication area or just area. 3. Validation - suffix should check for dn - existence of both ends of a segment 4. print of segments in suffix-show needs to be improved or removed To discuss: a) Do params in topologysegment have to have a maxlength set? b) Terminology has to be united. Segments are nested in suffix but sometimes are called areas and suffix is 'the suffix'. User might be confused. E.g. shouldn't the object be named a topologyarea instead of topologysuffix? c) I've added all missing CRUD commands. Are there any which we don't want there, or want to restrict them. E.g. I can imagine that deleting a suffix should be prevented if it contains any segments (or it has to be forced (--force option)) d) Do we want to print segments in suffix-show? e) Mainly for Honza: I've added --show-segments option to suffix-show which defaults to True. I don't like the behavior of CLI, which asks to confirm the value all the time. My intention was to have it there by default, but also allow to disable it by --show-segments=False. I don't want to add it as Flag (--hide-segments) since it restricts versatility. I would like to see an optional flag which would be filled by default value if not explicitly defined and CLI would not ask for the option value. Also it would be better to split the work into more patches. E.g. DS plugin, installation, python plugin. So ds
[Freeipa-devel] [PATCH] 854 git ignore ipaplatform/__init__.py
This file is generated in `make version-update` added in 9f049ca14403f3696d54d186e6b1b15181f055df -- Petr Vobornik From 9af7da77015eb4fee728144bd9502ee8a8a0555c Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 20 May 2015 15:51:26 +0200 Subject: [PATCH] git ignore ipaplatform/__init__.py This file is generated in `make version-update` added in 9f049ca14403f3696d54d186e6b1b15181f055df --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index c4c761903d29e1b9f62c7ece04dbaa187fb84de8..fa35df85abd5b18522d2be17070c3d8aceb9bdc5 100644 --- a/.gitignore +++ b/.gitignore @@ -73,6 +73,7 @@ freeipa2-dev-doc !/ipapython/py_default_encoding/Makefile !/ipapython/ipap11helper/Makefile +/ipaplatform/__init__.py /ipaplatform/setup.py /ipaplatform/tasks.py /ipaplatform/services.py -- 2.1.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] manage replication topology in the shared tree
On 05/20/2015 03:07 PM, Petr Vobornik wrote: On 05/20/2015 02:58 PM, Ludwig Krispenz wrote: On 05/20/2015 02:52 PM, Oleg Fayans wrote: Is this patch to be applied on top of the vanilla upstream tree, or does it require your previous patches applied before? it requires the install (0005) and ipa-command (0006) patch as well, submitted on 05/12 Patch 0005 can't be applied on top of the new patch 3. Both patches contains adding of 70topology.ldif. ok, this was my mistake when splitting the original patch, it should only be in the plugin part the trailing spaces in most cases are leftovers from the request to make lines shorter, I will fix it for a new version Also please clear all trailing whitespaces from patch 3. $ git am freeipa-lkrispen-0003-plugin-part-manage-replication-topology-in-the-shaer.patch Applying: plugin part - manage replication topology in the shaerd tree /home/somebody/freeipa/.git/rebase-apply/patch:607: trailing whitespace. /home/somebody/freeipa/.git/rebase-apply/patch:740: trailing whitespace. * find the attrtype and return the corresponding /home/somebody/freeipa/.git/rebase-apply/patch:742: trailing whitespace. */ /home/somebody/freeipa/.git/rebase-apply/patch:745: trailing whitespace. /* attr is handling specific direction, /home/somebody/freeipa/.git/rebase-apply/patch:772: trailing whitespace. /* two static data structures to hold the warning: squelched 125 whitespace errors warning: 130 lines add whitespace errors. On 05/19/2015 02:16 PM, Ludwig Krispenz wrote: Hi, here is the latest patch for the plugin part, trying to address all problems found in the review Regards, Ludwig PS if you want you can get a separate diff top the last version On 05/12/2015 08:33 AM, Ludwig Krispenz wrote: Hi, I did split the patches, for easier review and to share work on it. The attachment contains 4 patches: - the ds plugin part as submitted for review - the changes to the ds plugin part done after review (not complete yet) - the ipa framework part (including Petr's improvements) - the install related part Regards, Ludwig On 04/21/2015 01:09 PM, Petr Vobornik wrote: On 04/21/2015 12:53 PM, Petr Vobornik wrote: On 04/13/2015 10:56 AM, Ludwig Krispenz wrote: Hi, in the attachment you find the latest state of the topology plugin, it implements what is defined in the design page: http://www.freeipa.org/page/V4/Manage_replication_topology (which is also waiting for a reviewer) It contains the plugin itself and a core of ipa commands to manage a topology. to be really applicable, some work outside is required, eg the management of the domain level and a decision where the binddn group should be maintained. Thanks, Ludwig I've looked at the python part, mostly because I want to start with POC of Web UI for topology. topology.py is clearly still a work in progress. I've reflected following comments into a patch to speed things up. What's in the patch: 1. git am complains about trailing whitespaces 2. pep8 check produces quite a lot of issues. New code should be almost with any (`E501 line too long` is not a hard rule) `git diff HEAD~1 -U0 | pep8 --diff` 3. some typos 4. A lot of unused imports 5. Option name --sname for 'Segment identifier' is not very friendly. I don't see any examples of command options in the design notes. 6. NO_UPG_MAGIC - leftover from other plugin? 7. suffix object has labels from segment 8. IPA framework has a support for nested object. Key is setting `parent_object = 'topologysuffix'` in topologysegment object. 9. repl_agmt_attrs could be in topologysegment takes_params. 10. missing various CRUD commands like topologysuffix-find and topologysuffix-show commands. Whats missing, not fixed: 1. last 2 lines of VERSION file are not updated 2. Mixed terminology. Somewhere is used suffix and somewhere replication area or just area. 3. Validation - suffix should check for dn - existence of both ends of a segment 4. print of segments in suffix-show needs to be improved or removed To discuss: a) Do params in topologysegment have to have a maxlength set? b) Terminology has to be united. Segments are nested in suffix but sometimes are called areas and suffix is 'the suffix'. User might be confused. E.g. shouldn't the object be named a topologyarea instead of topologysuffix? c) I've added all missing CRUD commands. Are there any which we don't want there, or want to restrict them. E.g. I can imagine that deleting a suffix should be prevented if it contains any segments (or it has to be forced (--force option)) d) Do we want to print segments in suffix-show? e) Mainly for Honza: I've added --show-segments option to suffix-show which defaults to True. I don't like the behavior of CLI, which asks to confirm the value all the time. My intention was to have it there by default, but also allow to disable it by --show-segments=False. I don't want to add it as Flag (--hide-segments) since it restricts
[Freeipa-devel] [PATCHES 0252-0253] DNSSEC: allow to move DNSSEC key master to another IPA server
This patch allows to disable DNSSEC key master on IPA server, or replace current DNSSEC key master with another IPA server. Only for master branch. https://fedorahosted.org/freeipa/ticket/4657 Patches attached. -- Martin Basti From 68ce33509c3ea12a2af9401e6856ab14a812ddd0 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 20 May 2015 17:49:08 +0200 Subject: [PATCH 2/2] DNSSEC: update message https://fedorahosted.org/freeipa/ticket/4657 --- install/tools/ipa-replica-manage | 1 + 1 file changed, 1 insertion(+) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 4f92c0c927b3267eeb466a06d3283823c05437b0..f19c13e4af3746474e915b16c600e548c16b2f72 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -701,6 +701,7 @@ def del_master(realm, hostname, options): dnssec_masters = opendnssecinstance.get_dnssec_key_masters(delrepl.conn) if hostname in dnssec_masters: print Replica is active DNSSEC key master. Uninstall could break your DNS system. +print Please disable or replace DNSSEC key master first. sys.exit(Deletion aborted) # Pick CA renewal master -- 2.1.0 From 3fb190e9b687cd0d49c0331521d687279e1c7f1a Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 13 May 2015 14:45:32 +0200 Subject: [PATCH 1/2] DNSSEC: allow to disable/replace DNSSEC key master This commit allows to replace or disable DNSSEC key master Replacing DNSSEC master requires to copy kasp.db file manually by user ipa-dns-install: --disable-dnssec-master DNSSEC master will be disabled --replace-dnssec-master=IPA_SERVER DNSSEC master will be replaced, by IPA_SERVER (required to rerun ipa-dns-install wit appropriate options). --dnssec-master --kasp-db=FILE This configure new DNSSEC master server, kasp.db from old server is required https://fedorahosted.org/freeipa/ticket/4657 --- install/tools/ipa-dns-install| 28 - ipaplatform/base/paths.py| 1 + ipaserver/install/dns.py | 195 +-- ipaserver/install/odsexporterinstance.py | 12 +- ipaserver/install/opendnssecinstance.py | 52 +++-- 5 files changed, 268 insertions(+), 20 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index fd9311657e813988310db2be604ca68d26936af5..711749ccfc6851338095cb20dfc40b2ff930c747 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -61,6 +61,17 @@ def parse_options(): help=DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN) parser.add_option(-U, --unattended, dest=unattended, action=store_true, default=False, help=unattended installation never prompts the user) +parser.add_option(--disable-dnssec-master, dest=disable_dnssec_master, + action=store_true, default=False, help=Disable DNSSEC + master on this server) +parser.add_option(--replace-dnssec-master, dest=replace_dnssec_master, + type=string, metavar=IPA_DNS_SERVER_HOSTNAME, + action=store, help=Replace current DNSSEC master + with specified IPA server) +parser.add_option(--kasp-db, dest=kasp_db_file, type=string, + metavar=FILE, action=store, help=Do not create new + kasp.db database for DNSSEC metadata, but copy metadata + from the specified file) options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) @@ -70,10 +81,17 @@ def parse_options(): elif options.reverse_zones and options.no_reverse: parser.error(You cannot specify a --reverse-zone option together with --no-reverse) +if options.disable_dnssec_master and options.replace_dnssec_master: +parser.error(You cannot specify a --disable-dnssec-master option + together with --replace-dnssec-master) + if options.unattended: if not options.forwarders and not options.no_forwarders: parser.error(You must specify at least one --forwarder option or --no-forwarders option) +if options.kasp_db_file and not ipautil.file_exists(options.kasp_db_file): +parser.error(File %s does not exist % options.kasp_db_file) + if options.dm_password: print (WARNING: Option -p/--ds-password is deprecated and should not be used anymore.) @@ -106,8 +124,14 @@ def main(): options.setup_ca = False -dns_installer.install_check(True, False, options, hostname=api.env.host) -dns_installer.install(True, False, options) +if options.disable_dnssec_master: +dns_installer.disable_dnssec_master(options.unattended) +elif options.replace_dnssec_master: +
Re: [Freeipa-devel] [PATCH 428] client-install: Fix kinits with non-default Kerberos config file
On 05/20/2015 04:28 PM, Jan Cholasta wrote: Hi, the attached patch fixes a bug introduced in the fix for https://fedorahosted.org/freeipa/ticket/4808 (reopened). Honza Works for me, ACK. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 1112 Add service constraint delegation plugin
Rob Crittenden wrote: Rob Crittenden wrote: Add a plugin to manage service delegations, like the one allowing the HTTP service to obtain an ldap service ticket on behalf of the user. This does not include impersonation targets, so one cannot yet limit by user what tickets can be obtained. There is also no referential integrity for the memberPrincipal attribute since it is a string and not a DN. I don't see a way around this that isn't either clunky or requires a 389-ds plugin, both of which are overkill in this case IMHO. If you wonder why all the overrides it's because all of this is stored in the same container, and membership-like functions are used for a non-DN attribute (memberPrincipal). I used Alexander's patch in the ticket as a jumping off point. Removed a couple of hardcoded domain/realm elements in the tests. I must be getting rustly. Forgot to include ACIs. Added now. rob From f68fcf59b9792795d405bc35e5a8c3372f0fea7d Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 14 May 2015 13:08:58 + Subject: [PATCH] Add plugin to manage service constraints Service Constraints are the delegation model used by ipa-kdb to grant service A to obtain a TGT for a user against service B. https://fedorahosted.org/freeipa/ticket/3644 --- ACI.txt| 8 + API.txt| 72 VERSION| 4 +- install/updates/20-indices.update | 9 + install/updates/25-referint.update | 1 + ipalib/plugins/serviceconstraint.py| 473 ipatests/test_xmlrpc/objectclasses.py | 11 + .../test_xmlrpc/test_serviceconstraint_plugin.py | 479 + 8 files changed, 1055 insertions(+), 2 deletions(-) create mode 100644 ipalib/plugins/serviceconstraint.py create mode 100644 ipatests/test_xmlrpc/test_serviceconstraint_plugin.py diff --git a/ACI.txt b/ACI.txt index bf539892910f14ebc3fbee88a72d2b57c0d1327b..c9dc92fe63c46992f0a99fca84b2a12d3ce03ce0 100644 --- a/ACI.txt +++ b/ACI.txt @@ -212,6 +212,14 @@ dn: cn=services,cn=accounts,dc=ipa,dc=example aci: (targetattr = createtimestamp || entryusn || ipakrbauthzdata || ipakrbprincipalalias || ipauniqueid || krbcanonicalname || krblastpwdchange || krbobjectreferences || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || managedby || memberof || modifytimestamp || objectclass || usercertificate)(targetfilter = (objectclass=ipaservice))(version 3.0;acl permission:System: Read Services;allow (compare,read,search) userdn = ldap:///all;;) dn: cn=services,cn=accounts,dc=ipa,dc=example aci: (targetfilter = (objectclass=ipaservice))(version 3.0;acl permission:System: Remove Services;allow (delete) groupdn = ldap:///cn=System: Remove Services,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example +aci: (targetfilter = (objectclass=groupofprincipals))(version 3.0;acl permission:System: Add Service Constraints;allow (add) groupdn = ldap:///cn=System: Add Service Constraints,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example +aci: (targetattr = ipaallowedtarget || memberprincipal)(targetfilter = (objectclass=groupofprincipals))(version 3.0;acl permission:System: Modify Service Constraint Membership;allow (write) groupdn = ldap:///cn=System: Modify Service Constraint Membership,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example +aci: (targetattr = cn || createtimestamp || entryusn || ipaallowedtarget || memberprincipal || modifytimestamp || objectclass)(targetfilter = (objectclass=groupofprincipals))(version 3.0;acl permission:System: Read Service Constraints;allow (compare,read,search) groupdn = ldap:///cn=System: Read Service Constraints,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example +aci: (targetfilter = (objectclass=groupofprincipals))(version 3.0;acl permission:System: Remove Service Constraints;allow (delete) groupdn = ldap:///cn=System: Remove Service Constraints,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example aci: (targetattr = *)(target = ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example)(targetfilter = (objectclass=*))(version 3.0;acl permission:System: Add Stage Users by Provisioning and Administrators;allow (add) groupdn = ldap:///cn=System: Add Stage Users by Provisioning and Administrators,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 0808f3c64595495c8a9e60da5cbd689d5cdc6224..b548132a1e119204cd8452c4b8db80fa00263ccc 100644 --- a/API.txt +++ b/API.txt @@ -3694,6 +3694,78 @@ option: Str('version?', exclude='webui') output: Entry('result', type 'dict',
[Freeipa-devel] [PATCH 428] client-install: Fix kinits with non-default Kerberos config file
Hi, the attached patch fixes a bug introduced in the fix for https://fedorahosted.org/freeipa/ticket/4808 (reopened). Honza -- Jan Cholasta From c3bac104f2d04ff964e187e5f078d79ca3fb303f Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 20 May 2015 14:23:30 + Subject: [PATCH] client-install: Fix kinits with non-default Kerberos config file https://fedorahosted.org/freeipa/ticket/4808 --- ipa-client/ipa-install/ipa-client-install | 5 - ipapython/ipautil.py | 21 ++--- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index efa97a9..63e3c98 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -2441,7 +2441,8 @@ def install(options, env, fstore, statestore): stdin = sys.stdin.readline() try: -ipautil.kinit_password(principal, stdin, ccache_name) +ipautil.kinit_password(principal, stdin, ccache_name, + config=krb_name) except RuntimeError as e: print_port_conf_info() root_logger.error(Kerberos authentication failed: %s % e) @@ -2452,6 +2453,7 @@ def install(options, env, fstore, statestore): try: ipautil.kinit_keytab(host_principal, options.keytab, ccache_name, + config=krb_name, attempts=options.kinit_attempts) except Krb5Error as e: print_port_conf_info() @@ -2530,6 +2532,7 @@ def install(options, env, fstore, statestore): try: ipautil.kinit_keytab(host_principal, paths.KRB5_KEYTAB, CCACHE_FILE, + config=krb_name, attempts=options.kinit_attempts) env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = CCACHE_FILE except Krb5Error as e: diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index bdbf8da..abdb96d 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -1186,7 +1186,7 @@ def wait_for_open_socket(socket_name, timeout=0): raise e -def kinit_keytab(principal, keytab, ccache_name, attempts=1): +def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): Given a ccache_path, keytab file and a principal kinit as that user. @@ -1199,6 +1199,11 @@ def kinit_keytab(principal, keytab, ccache_name, attempts=1): % (principal, keytab)) root_logger.debug(using ccache %s % ccache_name) for attempt in range(1, attempts + 1): +old_config = os.environ.get('KRB5_CONFIG') +if config is not None: +os.environ['KRB5_CONFIG'] = config +else: +os.environ.pop('KRB5_CONFIG', None) try: krbcontext = krbV.default_context() ktab = krbV.Keytab(name=keytab, context=krbcontext) @@ -1221,9 +1226,15 @@ def kinit_keytab(principal, keytab, ccache_name, attempts=1): raise root_logger.debug(Waiting 5 seconds before next retry) time.sleep(5) +finally: +if old_config is not None: +os.environ['KRB5_CONFIG'] = old_config +else: +os.environ.pop('KRB5_CONFIG', None) -def kinit_password(principal, password, ccache_name, armor_ccache_name=None): +def kinit_password(principal, password, ccache_name, config=None, + armor_ccache_name=None): perform interactive kinit as principal using password. If using FAST for web-based authentication, use armor_ccache_path to specify http service @@ -1236,9 +1247,13 @@ def kinit_password(principal, password, ccache_name, armor_ccache_name=None): % armor_ccache_name) args.extend(['-T', armor_ccache_name]) +env = {'LC_ALL': 'C'} +if config is not None: +env['KRB5_CONFIG'] = config + # this workaround enables us to capture stderr and put it # into the raised exception in case of unsuccessful authentication -(stdout, stderr, retcode) = run(args, stdin=password, env={'LC_ALL': 'C'}, +(stdout, stderr, retcode) = run(args, stdin=password, env=env, raiseonerr=False) if retcode: raise RuntimeError(stderr) -- 2.1.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0001-0011 v3] Profile management
Hi Honza, Martin et al, Latest patches attached. On top of previous patches (most review matters addressed**) patches 0008..0011 add support for profiles and user certificates to `ipa cert-request'. ** those that were not are being tracked at [1]; please add anything I missed. Some points to note: - usercertificate is not yet a multi-valued attribute for users, hosts and services. QUESTION - we do want to allow multiple certificates for all principal types, not just users? Or have I got that wrong. - DN and SAN match principal checks are not implemented for users yet. - ACL was added to allow user principals to request their own certificates, however, this will be further subject to CA/profile ACLs which are to come. - Pursuant to [2] revocation logic was removed from `cert-request' [1] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress [2] http://www.freeipa.org/page/V4/User_Certificates#Revocation_of_the_Certificates Thanks, Fraser From 07599bb290fdd23990c978489bc3b08d493caed6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale ftwee...@redhat.com Date: Mon, 20 Apr 2015 23:20:19 -0400 Subject: [PATCH 01/11] Install CA with LDAP profiles backend Install the Dogtag CA to use the LDAPProfileSubsystem instead of the default (file-based) ProfileSubsystem. Part of: https://fedorahosted.org/freeipa/ticket/4560 --- ipaserver/install/cainstance.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 5133940687204b615eec56b6a89542ddd5617539..030c9f12daba4b38b748da8940e38d3cf2109788 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -503,6 +503,7 @@ class CAInstance(DogtagInstance): config.set(CA, pki_restart_configured_instance, False) config.set(CA, pki_backup_keys, True) config.set(CA, pki_backup_password, self.admin_password) +config.set(CA, pki_profiles_in_ldap, True) # Client security database config.set(CA, pki_client_database_dir, self.agent_db) -- 2.1.0 From c1fafbce7b077c6981381b727f1dc9571ccf2f19 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale ftwee...@redhat.com Date: Tue, 21 Apr 2015 02:24:10 -0400 Subject: [PATCH 02/11] Add schema for certificate profiles The certprofile object class is used to track IPA-managed certificate profiles in Dogtag and store IPA-specific settings. Part of: https://fedorahosted.org/freeipa/ticket/57 --- install/share/60certificate-profiles.ldif | 3 +++ install/share/Makefile.am | 1 + install/share/bootstrap-template.ldif | 12 ipaserver/install/dsinstance.py | 1 + 4 files changed, 17 insertions(+) create mode 100644 install/share/60certificate-profiles.ldif diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif new file mode 100644 index ..dcf4680589c98dad165141b1e13946c161a6abd7 --- /dev/null +++ b/install/share/60certificate-profiles.ldif @@ -0,0 +1,3 @@ +dn: cn=schema +attributeTypes: (2.16.840.1.113730.3.8.19.1.1 NAME 'ipaCertProfileStoreIssued' DESC 'Store certificates issued using this profile' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.19.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index ca6128e2911ab5c0a773dd553f8e67eab944f120..2cae5279079cdd3e0d793667f4d1bf4e44757b9e 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -16,6 +16,7 @@ app_DATA =\ 60basev3.ldif \ 60ipadns.ldif \ 60ipapk11.ldif \ + 60certificate-profiles.ldif \ 61kerberos-ipav3.ldif \ 65ipacertstore.ldif \ 65ipasudo.ldif \ diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 06b82aa4ae74e7766d0c09a63aa75fa222e7ab7d..c5d4bad8b80640881f4631e4873a12c82b0ea48a 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -429,3 +429,15 @@ cn: ${REALM}_id_range ipaBaseID: $IDSTART ipaIDRangeSize: $IDRANGE_SIZE ipaRangeType: ipa-local + +dn: cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: ca + +dn: cn=certprofiles,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: certprofiles diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index f1d24e49d1b184efde1c8d18ff37d0e329037ccc..210992fc41127de29d41b889e33a312613ae28da 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -56,6 +56,7 @@ IPA_SCHEMA_FILES = (60kerberos.ldif,