[Freeipa-devel] [PATCH] otptoken: use ipapython.nsslib instead of Python's ssl module
Hello, the patch removes the dependency on Python's ssl module and python-backports-ssl_match_hostname. https://fedorahosted.org/freeipa/ticket/5068 Open question - Is paths.IPA_NSSDB_DIR the correct NSSDB? Christian From 976427e5c448093131a99bdf77fc9d23c2d87883 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Tue, 7 Jul 2015 15:10:28 +0200 Subject: [PATCH] otptoken: use ipapython.nsslib instead of Python's ssl module The otptoken plugin is the only module in FreeIPA that uses Python's ssl module instead of NSS. The patch replaces ssl with NSSConnection. It uses the default NSS database to lookup trust anchors. NSSConnection uses NSS for hostname matching. The package python-backports-ssl_match_hostname is no longer required. https://fedorahosted.org/freeipa/ticket/5068 --- freeipa.spec.in| 2 -- ipalib/plugins/otptoken.py | 36 2 files changed, 8 insertions(+), 30 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 52af50dd0cac1902759d6d58061d73c7f80b3a0e..c419164410e33f0bc26762bed295f8c704f205fc 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -92,7 +92,6 @@ BuildRequires: systemd BuildRequires: libunistring-devel BuildRequires: python-lesscpy BuildRequires: python-yubico = 1.2.3 -BuildRequires: python-backports-ssl_match_hostname BuildRequires: softhsm-devel = 2.0.0rc1-1 BuildRequires: openssl-devel BuildRequires: p11-kit-devel @@ -252,7 +251,6 @@ Requires: libsss_autofs Requires: autofs Requires: libnfsidmap Requires: nfs-utils -Requires: python-backports-ssl_match_hostname Requires(post): policycoreutils Conflicts: %{alt_name}-client diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index 294c1c54afdfa6a13d37766d6851affa44ece60c..07df0ee3ee29032aaee35f1afc4d0b882d67ea75 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -24,8 +24,9 @@ from ipalib.plugable import Registry from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound, ValidationError from ipalib.request import context from ipalib.frontend import Local +from ipaplatform.paths import paths +from ipapython.nsslib import NSSConnection -from backports.ssl_match_hostname import match_hostname import base64 import uuid import urllib @@ -34,7 +35,6 @@ import httplib import urlparse import qrcode import os -import ssl __doc__ = _( OTP Tokens @@ -471,28 +471,6 @@ class otptoken_remove_managedby(LDAPRemoveMember): member_attributes = ['managedby'] -class HTTPSConnection(httplib.HTTPConnection): -Generates an SSL HTTP connection that performs hostname validation. - -ssl_kwargs = ssl.wrap_socket.func_code.co_varnames[1:ssl.wrap_socket.func_code.co_argcount] #pylint: disable=E1101 -default_port = httplib.HTTPS_PORT - -def __init__(self, host, **kwargs): -# Strip out arguments we want to pass to ssl.wrap_socket() -self.__kwargs = {k: v for k, v in kwargs.items() if k in self.ssl_kwargs} -for k in self.__kwargs: -del kwargs[k] - -# Can't use super() because the parent is an old-style class. -httplib.HTTPConnection.__init__(self, host, **kwargs) - -def connect(self): -# Create the raw socket and wrap it in ssl. -httplib.HTTPConnection.connect(self) -self.sock = ssl.wrap_socket(self.sock, **self.__kwargs) - -# Verify the remote hostname. -match_hostname(self.sock.getpeercert(), self.host.split(':', 1)[0]) class HTTPSHandler(urllib2.HTTPSHandler): Opens SSL HTTPS connections that perform hostname validation. @@ -506,7 +484,9 @@ class HTTPSHandler(urllib2.HTTPSHandler): def __inner(self, host, **kwargs): tmp = self.__kwargs.copy() tmp.update(kwargs) -return HTTPSConnection(host, **tmp) +# NSSConnection doesn't support timeout argument +tmp.pop('timeout', None) +return NSSConnection(host, **tmp) def https_open(self, req): return self.do_open(self.__inner, req) @@ -548,9 +528,9 @@ class otptoken_sync(Local): # Sync the token. # pylint: disable=E1101 -handler = HTTPSHandler(ca_certs=os.path.join(self.api.env.confdir, 'ca.crt'), - cert_reqs=ssl.CERT_REQUIRED, - ssl_version=ssl.PROTOCOL_TLSv1) +handler = HTTPSHandler(dbdir=paths.IPA_NSSDB_DIR, + tls_version_min=api.env.tls_version_min, + tls_version_max=api.env.tls_version_max) rsp = urllib2.build_opener(handler).open(sync_uri, query) if rsp.getcode() == 200: status['result'][self.header] = rsp.info().get(self.header, 'unknown') -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0334] Hide topology and domainlevel features
On 07/07/15 10:33, Tomas Babej wrote: Hi, * Hide topology and domainlevel commands in the CLI * Hide topology and domainlevel in the WebUI * Set maximum allowed domain level to 0 * Do not configure and enable the topology plugin https://fedorahosted.org/freeipa/ticket/5097 ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0055] ipa-replica-prepare: Do not create DNS zone it automatically.
On 03/07/15 06:17, David Kupka wrote: Since ipa-replica-* tools will be soon removed I think this simple check should be enough. ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0024..0025 Add missing certprofile features
On 04/07/15 16:58, Fraser Tweedale wrote: On Fri, Jul 03, 2015 at 10:34:07PM +1000, Fraser Tweedale wrote: On Thu, Jul 02, 2015 at 08:12:12PM +1000, Fraser Tweedale wrote: On Thu, Jul 02, 2015 at 11:23:49AM +0200, Jan Cholasta wrote: Hi, Dne 2.7.2015 v 11:15 Fraser Tweedale napsal(a): Attached patches fix a couple of important gaps in certprofile plugin: - Add --out option to export Dogtag profile data to file https://fedorahosted.org/freeipa/ticket/5091 - Add --file option to update existing profile in Dogtag https://fedorahosted.org/freeipa/ticket/5093 NACK on patchset v2; does not work (even after makeapi, which I forgot to include in updated patchset). I keep getting error ``ipa: ERROR: Unknown option: file''. Need to investigate why, but other patches are taking priority right now. Here is patchset v3, which is just v1 rebased on latest master. Thanks, Fraser Updated patch 0025 (v4). Profile now gets re-enabled if profile update fails. Patch 0024 remains at v3. Thanks, Fraser ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0046] add option to skip client API version check and proceed at user's own risk
On 03/07/15 16:41, Martin Babinsky wrote: On 07/02/2015 01:58 PM, Martin Babinsky wrote: First attempt at https://fedorahosted.org/freeipa/ticket/4768 Attaching reworked patch. ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0276] Fix: ipa-dns-install will add CA records if CA is installed
https://fedorahosted.org/freeipa/ticket/5101 Patch attached. -- Martin Basti From f5de8e7a9ecd8f8220bd542d9ff264ce7917a829 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Tue, 7 Jul 2015 16:28:48 +0200 Subject: [PATCH] Fix regression: ipa-dns-install will add CA records if required https://fedorahosted.org/freeipa/ticket/5101 --- install/tools/ipa-dns-install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 3fcda04e71d77e25ef328e2037b9e147ed1403bc..34b952859e56c6aa5ae861a4d1fb615f0a2d8f55 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -120,7 +120,7 @@ def main(): api.Backend.ldap2.connect(autobind=True) -options.setup_ca = False +options.setup_ca = None # must be None to enable autodetection dns_installer.install_check(True, False, options, hostname=api.env.host) dns_installer.install(True, False, options) -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [MAN] [PATCH] 0004 Fix phrasing in man page for stageuser.py
On 07/04/2015 02:03 PM, Jérôme Fenal wrote: Hi all, A quick patch to the man page part of stageuser to avoid ambiguity in the phrasing, spotted while translating the page. Regards, J. Thanks, ACK. I will not push this patch to master until we branch off 4.2 development branch as it would disrupt already translated strings in the other languages. Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0252-0253, 268, 50 - 51] DNSSEC: allow to move DNSSEC key master to another IPA server
On 07/01/2015 12:47 PM, Petr Spacek wrote: On 1.7.2015 12:35, Martin Basti wrote: On 30/06/15 22:09, Petr Spacek wrote: On 30.6.2015 16:04, Martin Basti wrote: On 30/06/15 10:25, Martin Basti wrote: On 29/06/15 15:16, Martin Basti wrote: On 25/06/15 13:46, Petr Spacek wrote: On 17.6.2015 13:37, Martin Basti wrote: On 17/06/15 13:26, Petr Spacek wrote: On 16.6.2015 15:40, Martin Basti wrote: On 05/06/15 12:54, Petr Spacek wrote: On 20.5.2015 18:00, Martin Basti wrote: This patch allows to disable DNSSEC key master on IPA server, or replace current DNSSEC key master with another IPA server. Only for master branch. https://fedorahosted.org/freeipa/ticket/4657 Patches attached. NACK. This happens on DNSSEC key master: $ ipa-dns-install --disable-dnssec-master Do you want to disable current DNSSEC key master? [no]: yes Unexpected error - see /var/log/ipaserver-install.log for details: TypeError: sequence item 0: expected string, DNSName found 2015-06-05T10:52:35Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 733, in run_script return_value = main_function() File /sbin/ipa-dns-install, line 128, in main dns_installer.disable_dnssec_master(options.unattended) File /usr/lib/python2.7/site-packages/ipaserver/install/dns.py, line 112, in disable_dnssec_master , .join(dnssec_zones)) 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed, exception: TypeError: sequence item 0: expected string, DNSName found Updated patches attached. Due new installers, more changes were required. Sorry, NACK, I'm not able to apply this patch set to current master (69607250b9762a6c9b657dd31653b03d54a7b411). Rebased patches attached. NACK. 0) ipa-dns-install --replace-dnssec-master always puts file into /root/ipa-kasp.db. It would be better to put it into local working directory or /var/lib/ipa (as with replica files). 1) I installed DNSSEC key master role on the vm-134 but DNSSEC services were not stopped by ipactl stop: [root@vm-134 review]# ipactl stop Stopping ipa-otpd Service Stopping httpd Service Stopping ipa_memcached Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service ipa: INFO: The ipactl command was successful [root@vm-134 review]# ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting ipa-otpd Service Starting ipa-ods-exporter Service Starting ods-enforcerd Service Starting ipa-dnskeysyncd Service Subsequent ipactl stop worked fine, only the first one is affected. 2a) vm-134 was the original master. I ran this: [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com ... and then attempted to install master to vm-059: [root@vm-059 review]# ipa-dns-install --dnssec-master This command was accepted despite of missing --kasp-db option and wrong replica name. It should error out and tell the user to run the command with --kasp-db option. Even better, we could get rid of explicit replica name specification in --replace-dnssec-master option and allow to run installation with --kasp-db on any replica as long as the kasp.db file is provided. 2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without* specifying --kasp-db option was accepted. [root@vm-090 review]# ipa-dns-install --dnssec-master As in case (2a), it should print what user is supposed to do. I propose following text: Current DNSSEC key master vm-134.abc.idm.lab.eng.brq.redhat.com is being moved to different server. You need to copy kasp.db file from vm-134.abc.idm.lab.eng.brq.redhat.com and run following command to complete the transition: # ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db 3) [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com does not remove ISMASTER option from file /etc/sysconfig/ipa-dnskeysyncd . 4) [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com it is possible to run [root@vm-134 review]# ipa-dns-install --dnssec-master again without --kasp-db and it is accepted. Moreover, in this case ipaConfigString NEW_DNSSEC_MASTER is not properly removed from cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example. 5) Sequence of commands [root@vm-134 review]# ipa-dns-install --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com [root@vm-090 review]# ipa-replica-manage del vm-134.abc.idm.lab.eng.brq.redhat.com allows me to run [root@vm-090 review]# ipa-dns-install --dnssec-master without --kasp-db option, it does not throw an error, and the information that some other master existed somewhere is lost. It would be probably better
Re: [Freeipa-devel] [PATCH] Password vault
Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a): Here is the rebased patch for vault access control. LGTM, except: @@ -356,6 +386,13 @@ class vault(LDAPObject): { 'objectclass': ['nsContainer'], 'cn': rdn['cn'], +'aci': +'(targetfilter=(objectClass=ipaVault))' + +'(version 3.0; ' + +'acl User can manage private vaults; ' + +'allow(read, search, compare, add, delete) ' + +'userdn=ldap:///%s;;)' +% owner_dn }) # if entry can be added, return I don't think dynamically creating ACIs with hardcoded userdn is something we want to do. This should be handled by a single ACI in cn=vaults. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Password vault
Dne 3.7.2015 v 14:23 Endi Sukma Dewata napsal(a): On 7/1/2015 1:53 AM, Jan Cholasta wrote: I think it would be better to use a new attribute type which inherits from ipaPublicKey (ipaVaultPublicKey?) rather than ipaPublicKey directly for assymetric vault public keys, so that assymetric public key and escrow public key are on the same level and you can still use ipaPublicKey to refer to either one: ipaPublicKey ipaVaultPublicKey ipaEscrowPublicKey OK. To be consistent the parameters need to be renamed too: --vault-public-key and --vault-public-key-file. It doesn't need to, there is no requirement for CLI names to always match attribute names. (Also I don't insist on the name ipaVaultPublicKey, feel free to change it if you want.) It's unchanged for now. In a previous discussion it was advised to reuse the existing attribute type whenever possible. Well, in this discussion, it is not. Escrow public key should also reuse ipaPublicKey, but it can't if you use it for vault public key. By using ipaPublicKey subtypes you can distinguish between the two uses and still use ipaPublicKey to refer to either of them. So what's changed? This is what you said when I posted the same patch six months ago: In this patch I'm adding ipaVaultSalt and ipaVaultPublicKey attribute types to store salt and public key for vault. Are there existing attribute types that I can use instead? I see there's an ipaPublicKey, should I use that and maybe add ipaSalt/ipaEncSalt? Thanks. yes, please re-use existing attributes where possible. Honza What changed is that I now know there is also escrow public key, which I didn't know six months ago. Here's patch #368 to be applied on top of patch #357-5, but see comments below. Thanks for the patch. Could you show me how to use ipaPublicKey to refer to ipaVaultPublicKey and ipaEscrowPublicKey? Under what situation would that be useful? For example for ipaPublicKey searches - if ipaVaultPublicKey and ipaEscrowPublicKey both inherit from ipaPublicKey, then an ipaPublicKey search will look in both ipaVaultPublicKey and ipaEscrowPublicKey. This is not something we actually need right now, but once the schema is done, it can't be fixed and I don't think we should prevent this, especially since we can get it for free. BTW even the core LDAP schema does this, see for example how the cn attribute inherits from the more general name attribute: https://tools.ietf.org/html/rfc4519#section-2.3. I don't think that's how LDAP works. It is, see https://tools.ietf.org/html/rfc4512#section-2.5.3. The RFC doesn't say that either. The cn does inherit from name, but if you search for name it won't match/return cn. See queries below: $ ldapsearch -LLL -x -b dc=example,dc=com (cn=Accounting Managers) dn: cn=Accounting Managers,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: Accounting Managers ou: groups description: People who can manage accounting entries uniqueMember: cn=Directory Manager $ ldapsearch -LLL -x -b dc=example,dc=com (cn=Accounting Managers) \ name dn: cn=Accounting Managers,ou=Groups,dc=example,dc=com (no cn attribute) $ ldapsearch -LLL -x -b dc=example,dc=com (name=Accounting Managers) (no result) This seems like a bug in 389 DS, it works correctly with OpenLDAP: $ ldapsearch -H ldap://localhost -D 'cn=Manager,dc=example,dc=com' -w password -b 'dc=example,dc=com' '(name=Manager)' dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager Assuming this is what you meant, which doesn't seem to be working, is there still a valid reason to add a new ipaVaultPublicKey instead of using the existing ipaPublicKey? I think everything mentioned in the RFC section I linked above is a good enough reason. * CLI options will be identical to client and server API options (i.e. no CLI-only, client-only, or server-only options) Actually, you can create CLI-only options (add include='cli' to the param's kwargs). I need to look at this more closely. If I understand correctly in user_del there are two 'preserve' options, the Bool preserve is for client and server API, and the Flag preserve is for CLI. Wouldn't it be better if they are stored in separate lists (or maybe separate classes)? And it looks like you still need to delete the CLI options explicitly anyway. Well, it would be better if there was no Flag class at all and flags were handled by CLI exclusively, because parameter classes should reflect the data type (bool) and not the presentation (flag). That indicates there should be a separation between client API and the CLI too because, as you see in user_del, they can be different. Not really, what there should be is separation between data type and presentation. This is what the web UI already does and so should the CLI. Does the API.txt actually show the CLI options, the client API options, or the server API options? I only see the Flag preserve, not the Bool
Re: [Freeipa-devel] [PATCH] 892 webui: add mangedby tab to otptoken
On 07/03/2015 02:49 PM, Martin Babinsky wrote: On 07/01/2015 06:59 PM, Petr Vobornik wrote: Added managedby_user tab to manage users who can manage the token. https://fedorahosted.org/freeipa/ticket/5003 Nathaniel, I could not reproduce the following part of the ticket: Careful interaction is required here. In the current code, this also creates a bug since all UI created tokens are owned but not managed. When users of these tokens are deleted, their self-created tokens are orphaned rather than deleted. Self-created tokens MUST be both self-owned AND self-managed. The self-created tokens which I created in Web UI as admin or normal user were in both cases managed by the same user who created them. (Once again, this time also reply to the list) The patch itself does what it is supposed to. So ACK from me. However, I have found out that the token's manager is correctly set *only* when it is directly created by the user that should own it. In this case when the manager is not specified, the code works as expected and fill in the logged-in user as manager. However, if e.g. admin creates a token for another user and does not set him as the manager explicitly, the 'managedBy' attribute is not set. Pushed to: master: b258bcee8337063259aa38b4387b9bb5721fb380 ipa-4-1: 5439e7a8fa46a8eab0d23689807a4894f20ecea7 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0334] Hide topology and domainlevel features
Hi, * Hide topology and domainlevel commands in the CLI * Hide topology and domainlevel in the WebUI * Set maximum allowed domain level to 0 * Do not configure and enable the topology plugin https://fedorahosted.org/freeipa/ticket/5097 From 8cdc723d334540258fdc408933b3f47ccebf5b53 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 7 Jul 2015 09:36:32 +0200 Subject: [PATCH] Hide topology and domainlevel features * Hide topology and domainlevel commands in the CLI * Hide topology and domainlevel in the WebUI * Set maximum allowed domain level to 0 * Do not configure and enable the topology plugin https://fedorahosted.org/freeipa/ticket/5097 --- install/ui/src/freeipa/app.js | 3 ++- install/ui/src/freeipa/navigation/menu_spec.js | 4 ++-- ipalib/constants.py| 2 +- ipalib/plugins/domainlevel.py | 2 ++ ipalib/plugins/topology.py | 11 +++ ipaserver/install/dsinstance.py| 3 ++- 6 files changed, 20 insertions(+), 5 deletions(-) diff --git a/install/ui/src/freeipa/app.js b/install/ui/src/freeipa/app.js index f05e8213c0b17e21515fdfce5ab496516a02692e..92613b4a4cec1487a6bde1bdc0049b16d3321418 100644 --- a/install/ui/src/freeipa/app.js +++ b/install/ui/src/freeipa/app.js @@ -48,7 +48,8 @@ define([ './service', './sudo', './trust', -'./topology', +// Hide topology for now +// './topology', './user', './stageuser', 'dojo/domReady!' diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js index 120cba37dca7aa355bdb94b1ef16615b95afeb28..4265e98710cdaff0d2ea77ab1e62be1071b19c33 100644 --- a/install/ui/src/freeipa/navigation/menu_spec.js +++ b/install/ui/src/freeipa/navigation/menu_spec.js @@ -184,7 +184,7 @@ var nav = {}; { entity: 'trustconfig' } ] }, -{ +/* { entity: 'topologysuffix', label: '@i18n:tabs.topology', facet: 'search', @@ -205,7 +205,7 @@ var nav = {}; hidden: true } ] -}, +},*/ { name: 'apibrowser', label: 'API browser', diff --git a/ipalib/constants.py b/ipalib/constants.py index a062505c349436332d430af4fd29c76d20c85343..fac937b5dc4900b5988c1b1d937c0061430c5e1d 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -234,4 +234,4 @@ IPA_ANCHOR_PREFIX = ':IPA:' SID_ANCHOR_PREFIX = ':SID:' MIN_DOMAIN_LEVEL = 0 -MAX_DOMAIN_LEVEL = 1 +MAX_DOMAIN_LEVEL = 0 diff --git a/ipalib/plugins/domainlevel.py b/ipalib/plugins/domainlevel.py index 64e383006722fb2f32f5300d627b18b6daf051d4..9012a3203323f381c2b927f76371d2b1df4b32a0 100644 --- a/ipalib/plugins/domainlevel.py +++ b/ipalib/plugins/domainlevel.py @@ -74,6 +74,7 @@ def get_master_entries(ldap, api): @register() class domainlevel_get(Command): __doc__ = _('Query current Domain Level.') +NO_CLI = True has_output = domainlevel_output @@ -90,6 +91,7 @@ class domainlevel_get(Command): @register() class domainlevel_set(Command): __doc__ = _('Change current Domain Level.') +NO_CLI = True has_output = domainlevel_output diff --git a/ipalib/plugins/topology.py b/ipalib/plugins/topology.py index de5ceb97583c9a40b4fe3783ec0fa40e6c325d0f..574e0d7ed42386f62a805272b6ec106bb946116c 100644 --- a/ipalib/plugins/topology.py +++ b/ipalib/plugins/topology.py @@ -41,6 +41,7 @@ class topologysegment(LDAPObject): Topology segment. +NO_CLI = True parent_object = 'topologysuffix' container_dn = api.env.container_topology object_name = _('segment') @@ -195,6 +196,7 @@ class topologysegment(LDAPObject): class topologysegment_find(LDAPSearch): __doc__ = _('Search for topology segments.') +NO_CLI = True msg_summary = ngettext( '%(count)d segment matched', '%(count)d segments matched', 0 @@ -205,6 +207,7 @@ class topologysegment_find(LDAPSearch): class topologysegment_add(LDAPCreate): __doc__ = _('Add a new segment.') +NO_CLI = True msg_summary = _('Added segment %(value)s') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): @@ -218,6 +221,7 @@ class topologysegment_add(LDAPCreate): class topologysegment_del(LDAPDelete): __doc__ = _('Delete a segment.') +NO_CLI = True msg_summary = _('Deleted segment %(value)s') def pre_callback(self, ldap, dn, *keys, **options): @@ -230,6 +234,7 @@ class topologysegment_del(LDAPDelete): class topologysegment_mod(LDAPUpdate): __doc__ = _('Modify a segment.') +NO_CLI = True msg_summary = _('Modified segment %(value)s') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): @@
Re: [Freeipa-devel] [PATCHES 330-331] Update translations and introduce Zanata configuration
On 07/07/2015 09:09 AM, Tomas Babej wrote: On 06/24/2015 04:33 PM, Tomas Babej wrote: On 06/24/2015 04:29 PM, Martin Basti wrote: On 24/06/15 14:39, Tomas Babej wrote: +msgid Automount location name. +msgstr Job Title + in german po file +msgid Automount location name. +msgstr Job Title + AFAIK, this is not german language. Nice catch! You can show off your German language skills by entering the correct translation here: https://fedora.zanata.org/webtrans/Application.seam?project=freeipaiteration=masterlocaleId=delocale=en#view:doc;doc:install/po/ipa;search:Automount%20location%20name So far, I removed the wrong translation string in Zanata. Tomas Attaching updated patches, with fresh translations. Thanks to all the translators! Tomas There is a small error in the UK translation, line 491 should read: На сервері DNS %(server)s не... instead of: На сервері DNS (server)s не... Fixed. I am not sending a updated version of the patch to the list, given its size. Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0055] ipa-replica-prepare: Do not create DNS zone it automatically.
On 03/07/15 06:17, David Kupka wrote: Since ipa-replica-* tools will be soon removed I think this simple check should be enough. Updated patch attached. -- David Kupka From 3df59261538f6b28e158802d8f6e4a47dadeab84 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Fri, 3 Jul 2015 05:59:55 +0200 Subject: [PATCH] ipa-replica-prepare: Do not create DNS zone it automatically. When --ip-address is specified check if relevant DNS zone exists in IPA managed DNS server, exit with error when not. https://fedorahosted.org/freeipa/ticket/5014 --- ipaserver/install/ipa_replica_prepare.py | 13 - 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 46ac886e5a0f86574531861159d955bd149648c4..5246f5f5469c85571d04c99d872f38018802abaa 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -264,6 +264,14 @@ class ReplicaPrepare(admintool.AdminTool): options.reverse_zones = bindinstance.check_reverse_zones( options.ip_addresses, options.reverse_zones, options, False, True) + +host, zone = self.replica_fqdn.split('.', 1) +if not bindinstance.dns_zone_exists(zone, api=api): +self.log.error(DNS zone %s does not exist in IPA managed DNS + server. Either create DNS zone or omit + --ip-address option. % zone) +raise admintool.ScriptError(Cannot add DNS record) + if disconnect: api.Backend.ldap2.disconnect() @@ -481,11 +489,6 @@ class ReplicaPrepare(admintool.AdminTool): api.Backend.ldap2.connect( bind_dn=DN(('cn', 'Directory Manager')), bind_pw=self.dirman_password) -try: -add_zone(domain) -except errors.PublicError, e: -raise admintool.ScriptError( -Could not create master DNS zone for the replica: %s % e) for reverse_zone in options.reverse_zones: self.log.info(Adding reverse zone %s, reverse_zone) -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0276] Fix: ipa-dns-install will add CA records if CA is installed
On 07/07/2015 07:36 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5101 Patch attached. ACK. Pushed to master: 1d9bdb240943527e1e19704acd183eae254267ae -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0046] add option to skip client API version check and proceed at user's own risk
On 07/07/2015 07:49 PM, Martin Basti wrote: On 03/07/15 16:41, Martin Babinsky wrote: On 07/02/2015 01:58 PM, Martin Babinsky wrote: First attempt at https://fedorahosted.org/freeipa/ticket/4768 Attaching reworked patch. ACK -- Martin Basti Pushed to master: ea7f392bb98c1f1c4558ec5d6e84ee7a7c613474 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0334] Hide topology and domainlevel features
On 07/07/2015 07:16 PM, Martin Basti wrote: On 07/07/15 10:33, Tomas Babej wrote: Hi, * Hide topology and domainlevel commands in the CLI * Hide topology and domainlevel in the WebUI * Set maximum allowed domain level to 0 * Do not configure and enable the topology plugin https://fedorahosted.org/freeipa/ticket/5097 ACK -- Martin Basti Pushed to master: 62e8002bc43ddd890c3db35a123cb7daf35e3121 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 145-148] ipa-kdb: add unit-test for filter_logon_info()
On 07/07/2015 03:49 PM, Sumit Bose wrote: On Tue, May 26, 2015 at 01:36:35PM +0200, Martin Kosek wrote: On 05/26/2015 01:33 PM, Sumit Bose wrote: Hi, these patches add some unit tests and some additional improvements related to the issues described in https://bugzilla.redhat.com/show_bug.cgi?id=1222475 . The original issue is fixed by a patch from Alexander attached to the ticket. The first patch converts the existing check-based test to cmocka. If I see it correctly all check-based test are converted now. Cool! Before pushing, we should also reference ticket https://fedorahosted.org/freeipa/ticket/4922 in the patch (no need to rebase right now). The second adds tests for filter_logon_info() where the original issue occurred. The wrong behavior in filter_logon_info() caused a crash in dom_sid_string() which is made a bit more robust together with string_to_sid() in the 3rd patch. The last patch add unit tests for those two calls as well. New version rebased on one-way trust patches attached. Please note that the unit-test will fail with the initial version of the one-way trust patches which does not allow an empty group list in the PAC. bye, Sumit ACK. Pushed to master: 5017726ebaf6eea3dedb1325efe00c0d6c4b6187 Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 144] extdom: add unit-test for get_user_grouplist()
On 07/07/2015 03:47 PM, Sumit Bose wrote: On Tue, May 26, 2015 at 02:47:02PM +0300, Alexander Bokovoy wrote: On Tue, 26 May 2015, Sumit Bose wrote: On Tue, May 26, 2015 at 01:24:30PM +0200, Petr Vobornik wrote: On 05/26/2015 01:21 PM, Sumit Bose wrote: Hi, this tests should have gone together with c1114ef82516002de08e004a930b5ba4a1791b25 but got lost somehow during the bugzilla processing. bye, Sumit So it has been acked? And we can push it? I have to admit that I'm not sure, there were just to many related tickets. Alexander, do you remember seeing this patch? If not, I think it would be good if someone can review it. Since it is only a unit-test, it is not urgent. I've seen this patch and I thought I've acked it by the time... New version rebased on one-way trust patches is attached. bye, Sumit -- / Alexander Bokovoy ACK. Pushed to master: 7b524e783515a16102aeffdb69fa9ed5fca07c1b -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches
On 07/07/2015 04:31 PM, Alexander Bokovoy wrote: On Tue, 07 Jul 2015, Alexander Bokovoy wrote: Hi, attached are patches to introduce one-way trust support and few more to fix currently outstanding trust-related bugs. More details are in the commit messages. For oddjobd-activated helper, if you want to test the one-way trust setup, you need to put SELinux into permissive. We have bugs for both Fedora and RHEL to add the policy (https://bugzilla.redhat.com/show_bug.cgi?id=1238163 for RHEL7), it is in works. Updated patch 0181 after discussion with Simo and Sumit about empty rid array. Works fine for me, thanks. ACK. Pushed to master: 5017726ebaf6eea3dedb1325efe00c0d6c4b6187 During review, I also pushed the attached oneliner. Tomas From d011ca36f1db5d0cb76ab53ef07a33bec54d9003 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 8 Jul 2015 01:24:10 +0200 Subject: [PATCH] dcerpc: Raise ACIError correctly --- ipaserver/dcerpc.py | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index bc75a60265de241f01b7e22c0274dc8a8523eeec..a1da0a641064f59a79639d97489ff73181787a4a 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -1093,9 +1093,11 @@ class TrustDomainInstance(object): if self.validation_attempts 10: sleep(5) return self.verify_trust(another_domain) -raise errors.ACIError(reason=_('IPA master denied trust validation requests from AD DC ' - '%(count)d times. Most likely AD DC contacted a replica ' - 'that has no trust information replicated yet.' % (self.validation_attempts))) +raise errors.ACIError( +info=_('IPA master denied trust validation requests from AD DC ' + '%(count)d times. Most likely AD DC contacted a replica ' + 'that has no trust information replicated yet.') + % dict(count=self.validation_attempts)) raise assess_dcerpc_exception(*result.pdc_connection_status) return True return False -- 2.1.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0024..0025 Add missing certprofile features
On 07/07/2015 07:30 PM, Martin Basti wrote: On 04/07/15 16:58, Fraser Tweedale wrote: On Fri, Jul 03, 2015 at 10:34:07PM +1000, Fraser Tweedale wrote: On Thu, Jul 02, 2015 at 08:12:12PM +1000, Fraser Tweedale wrote: On Thu, Jul 02, 2015 at 11:23:49AM +0200, Jan Cholasta wrote: Hi, Dne 2.7.2015 v 11:15 Fraser Tweedale napsal(a): Attached patches fix a couple of important gaps in certprofile plugin: - Add --out option to export Dogtag profile data to file https://fedorahosted.org/freeipa/ticket/5091 - Add --file option to update existing profile in Dogtag https://fedorahosted.org/freeipa/ticket/5093 NACK on patchset v2; does not work (even after makeapi, which I forgot to include in updated patchset). I keep getting error ``ipa: ERROR: Unknown option: file''. Need to investigate why, but other patches are taking priority right now. Here is patchset v3, which is just v1 rebased on latest master. Thanks, Fraser Updated patch 0025 (v4). Profile now gets re-enabled if profile update fails. Patch 0024 remains at v3. Thanks, Fraser ACK -- Martin Basti Patches required a little API rebase due to stale minor API number reference. Pushed to master: 462e0b9eb16f52b66b723744c4b42c19ef4782c3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0055] ipa-replica-prepare: Do not create DNS zone it automatically.
On 07/07/2015 07:16 PM, Martin Basti wrote: On 03/07/15 06:17, David Kupka wrote: Since ipa-replica-* tools will be soon removed I think this simple check should be enough. ACK -- Martin Basti Pushed to master: 6a91893ff50fee6d7c71d9bc982d85a3ec8b7583 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 330-331] Update translations and introduce Zanata configuration
On 07/07/2015 11:48 AM, Martin Basti wrote: On 07/07/15 10:37, Tomas Babej wrote: On 07/07/2015 09:09 AM, Tomas Babej wrote: On 06/24/2015 04:33 PM, Tomas Babej wrote: On 06/24/2015 04:29 PM, Martin Basti wrote: On 24/06/15 14:39, Tomas Babej wrote: +msgid Automount location name. +msgstr Job Title + in german po file +msgid Automount location name. +msgstr Job Title + AFAIK, this is not german language. Nice catch! You can show off your German language skills by entering the correct translation here: https://fedora.zanata.org/webtrans/Application.seam?project=freeipaiteration=masterlocaleId=delocale=en#view:doc;doc:install/po/ipa;search:Automount%20location%20name So far, I removed the wrong translation string in Zanata. Tomas Attaching updated patches, with fresh translations. Thanks to all the translators! Tomas There is a small error in the UK translation, line 491 should read: На сервері DNS %(server)s не... instead of: На сервері DNS (server)s не... Fixed. I am not sending a updated version of the patch to the list, given its size. Tomas ACK, we will fix minor issues later. Pushed to master: 12b053df300cb58aad157797f4e30283e45033f5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches
On Tue, 07 Jul 2015, Alexander Bokovoy wrote: From 4a856d8ff597ec516cc1eb05f06e062bb4ecca5b Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 28 May 2015 11:49:58 + Subject: [PATCH 05/11] trusts: pass AD DC hostname if specified explicitly Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047 This is upstream ticket https://fedorahosted.org/freeipa/ticket/5031 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] error handling in httpd.service and ipa-httpd-kdcproxy
On Jul 6, 2015, at 11:35 AM, Christian Heimes chei...@redhat.com wrote: Hello, I like to ask for your opinion regarding the pre-exec hook 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error cases like LDAP connection timeout more gracefully. At the moment any error causes the script to return a non-zero exit code. This breaks the service and apparently also offline RPM upgrades. How should I handle error cases? I can change httpd.service to simply ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an invalid state. I could modify the script to catch connection errors and to disable kdcproxy in case of an error. The options are: 1) httpd.service ignores exit code of ipa-httpd-kdcproxy 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a connection error 3) 1 + 2 What do you think? If ipa-httpd-kdcproxy cannot contact LDAP, kdcproxy MUST NOT be enabled. So #2. However, ipa-httpd-kdcproxy should leave error codes to real catastrophic failures and http.service should be aware of these. So not #1. Nathaniel -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches
On Tue, 07 Jul 2015, Alexander Bokovoy wrote: From b7a3b206deb3257b3a78939f0d2a6a114e48b758 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 26 Mar 2015 14:34:06 +0200 Subject: [PATCH 01/11] add one-way trust support to ipasam When trust is established, ipasam module creates a number of objects in LDAP to represent the trust information. Among them, for one-way trust we create a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest and AD is a realm of the trusted Active Directory forest root domain. This principal is then used by SSSD on IPA masters to authenticate against trusted Active Directory domain controllers and retrieve information about user and group identities. FreeIPA also uses this principal's credentials to retrieve domain topology. The access to the keys of the principal should be well-protected. We only allow to retrieve the keytab for it for members of cn=adtrust agents group. This group is populated with host/ and cifs/ principals from IPA masters. Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install on the master which will be configured to be a domain controller (e.g. run Samba with ipasam), and specify --add-agents option to trigger activation of the interactive mode to specify which IPA masters to enable. Fixes https://fedorahosted.org/freeipa/ticket/4962 Part of fixes for https://fedorahosted.org/freeipa/ticket/4546 ... and fixes ticket https://fedorahosted.org/freeipa/ticket/5005 too -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 330-331] Update translations and introduce Zanata configuration
On 07/07/15 10:37, Tomas Babej wrote: On 07/07/2015 09:09 AM, Tomas Babej wrote: On 06/24/2015 04:33 PM, Tomas Babej wrote: On 06/24/2015 04:29 PM, Martin Basti wrote: On 24/06/15 14:39, Tomas Babej wrote: +msgid Automount location name. +msgstr Job Title + in german po file +msgid Automount location name. +msgstr Job Title + AFAIK, this is not german language. Nice catch! You can show off your German language skills by entering the correct translation here: https://fedora.zanata.org/webtrans/Application.seam?project=freeipaiteration=masterlocaleId=delocale=en#view:doc;doc:install/po/ipa;search:Automount%20location%20name So far, I removed the wrong translation string in Zanata. Tomas Attaching updated patches, with fresh translations. Thanks to all the translators! Tomas There is a small error in the UK translation, line 491 should read: На сервері DNS %(server)s не... instead of: На сервері DNS (server)s не... Fixed. I am not sending a updated version of the patch to the list, given its size. Tomas ACK, we will fix minor issues later. -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches
Hi, attached are patches to introduce one-way trust support and few more to fix currently outstanding trust-related bugs. More details are in the commit messages. For oddjobd-activated helper, if you want to test the one-way trust setup, you need to put SELinux into permissive. We have bugs for both Fedora and RHEL to add the policy (https://bugzilla.redhat.com/show_bug.cgi?id=1238163 for RHEL7), it is in works. -- / Alexander Bokovoy From 0e252fb1f8455daa87dccbc6dcba61b08570b444 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 20 May 2015 18:24:52 +0300 Subject: [PATCH 03/11] ipa-kdb: use proper memory chunk size when moving sids Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 20 +--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 0e53a80..390111f 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1394,7 +1394,15 @@ static krb5_error_code filter_logon_info(krb5_context context, if (result) { filter_logon_info_log_message(info-info-info3.sids[i].sid); } else { +/* Go over incoming SID blacklist */ for(k = 0; k domain-len_sid_blacklist_incoming; k++) { +/* if SID is an exact match, filter it out */ +result = dom_sid_check(domain-sid_blacklist_incoming[k], info-info-info3.sids[i].sid, true); +if (result) { + filter_logon_info_log_message(info-info-info3.sids[i].sid); +break; +} +/* if SID is a suffix of the blacklist element, filter it out*/ result = dom_sid_is_prefix(domain-sid_blacklist_incoming[k], info-info-info3.sids[i].sid); if (result) { filter_logon_info_log_message(info-info-info3.sids[i].sid); @@ -1403,11 +1411,17 @@ static krb5_error_code filter_logon_info(krb5_context context, } } if (result) { +k = count - i - j - 1; +if (k != 0) { +memmove(info-info-info3.sids+i, +info-info-info3.sids+i+1, +sizeof(struct netr_SidAttr)*k); +} j++; -memmove(info-info-info3.sids+i, info-info-info3.sids+i+1, count-i-1); +} else { +i++; } -i++; -} while (i count); +} while ((i + j) count); if (j != 0) { count = count-j; -- 2.4.3 From a797874359544e431bdd96dd11e26f404c578db0 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 28 May 2015 08:33:51 + Subject: [PATCH 04/11] ipa-kdb: filter out group membership from MS-PAC for exact SID matches too When incoming SID blacklist contains exact SIDs of users and groups, attempt to filter them out as well, according to [MS-PAC] 4.1.1.2. Note that we treat user's SID and primary group RID filtering as violation of the KDC policy because the resulting MS-PAC will have no user SID or primary group and thus will be invalid. For group RIDs we filter them out and in unlikely event of empty list of groups treat that as violation of the KDC policy as well. Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 102 +++- 1 file changed, 101 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 390111f..df19880 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1317,6 +1317,22 @@ static void filter_logon_info_log_message(struct dom_sid *sid) } } +static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid) +{ +char *domstr = NULL; + +domstr = dom_sid_string(NULL, sid); +if (domstr) { +krb5_klog_syslog(LOG_ERR, PAC filtering issue: SID [%s-%d] is not allowed + from a trusted source and will be excluded., domstr, rid); +talloc_free(domstr); +} else { +krb5_klog_syslog(LOG_ERR, PAC filtering issue: SID is not allowed + from a trusted source and will be excluded. + Unable to allocate memory to display SID.); +} +} + static krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx, krb5_data realm, @@ -1328,9 +1344,21 @@ static krb5_error_code filter_logon_info(krb5_context context, * attempt at getting us to sign fake credentials with the help of a * compromised trusted realm
Re: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches
On Tue, 07 Jul 2015, Alexander Bokovoy wrote: Hi, attached are patches to introduce one-way trust support and few more to fix currently outstanding trust-related bugs. More details are in the commit messages. For oddjobd-activated helper, if you want to test the one-way trust setup, you need to put SELinux into permissive. We have bugs for both Fedora and RHEL to add the policy (https://bugzilla.redhat.com/show_bug.cgi?id=1238163 for RHEL7), it is in works. Attached is a rebase of two patches that modified VERSION as it conflicted with last minute push that Tomas did. -- / Alexander Bokovoy From 07bd53b528abd39aac6f11f47eec38ff5a73c5e3 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 28 May 2015 11:49:58 + Subject: [PATCH 05/11] trusts: pass AD DC hostname if specified explicitly Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047 --- API.txt | 3 ++- VERSION | 4 ++-- ipalib/plugins/trust.py | 9 - ipaserver/dcerpc.py | 10 +++--- 4 files changed, 19 insertions(+), 7 deletions(-) diff --git a/API.txt b/API.txt index 99fa528..a76458b 100644 --- a/API.txt +++ b/API.txt @@ -4998,10 +4998,11 @@ output: Output('result', type 'dict', None) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: ListOfPrimaryKeys('value', None, None) command: trust_fetch_domains -args: 1,4,4 +args: 1,5,4 arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('realm_server?', cli_name='server') option: Flag('rights', autofill=True, default=False) option: Str('version?', exclude='webui') output: Output('count', type 'int', None) diff --git a/VERSION b/VERSION index 2d9ad26..bf68be2 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=139 -# Last change: edewata - added ipaVaultPublicKey attribute +IPA_API_VERSION_MINOR=140 +# Last change: ab - trusts: pass AD DC hostname if specified explicitly diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 5b884ca..13ac52d 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -1302,9 +1302,10 @@ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): sp.insert(0, trustinstance.remote_domain.info['name']) creds = u{name}%{password}.format(name=\\.join(sp), password=password) +server = options.get('realm_server', None) domains = ipaserver.dcerpc.fetch_domains(self.api, trustinstance.local_flatname, - trust_name, creds=creds) + trust_name, creds=creds, server=server) result = [] if not domains: return result @@ -1342,6 +1343,12 @@ class trust_fetch_domains(LDAPRetrieve): __doc__ = _('Refresh list of the domains associated with the trust') has_output = output.standard_list_of_entries +takes_options = LDAPRetrieve.takes_options + ( +Str('realm_server?', +cli_name='server', +label=_('Domain controller for the Active Directory domain (optional)'), +), +) def execute(self, *keys, **options): if not _bindings_installed: diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 725b2cd..753e10e 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -1046,7 +1046,7 @@ class TrustDomainInstance(object): return False -def fetch_domains(api, mydomain, trustdomain, creds=None): +def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): trust_flags = dict( NETR_TRUST_FLAG_IN_FOREST = 0x0001, NETR_TRUST_FLAG_OUTBOUND = 0x0002, @@ -1087,8 +1087,12 @@ def fetch_domains(api, mydomain, trustdomain, creds=None): cr.set_workstation(domain_validator.flatname) netrc = net.Net(creds=cr, lp=td.parm) try: -result = netrc.finddc(domain=trustdomain, - flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) +if server: +result = netrc.finddc(address=server, + flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) +else: +result = netrc.finddc(domain=trustdomain, + flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) except RuntimeError, e: raise assess_dcerpc_exception(message=str(e)) -- 2.4.3 From 850566818840e5aa37a08ff0cc50d503d78c3b63 Mon Sep 17 00:00:00 2001 From:
Re: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches
On Tue, 07 Jul 2015, Alexander Bokovoy wrote: From a4e2034028d64a8b2b533af9541e698a68388fb2 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 4 Jun 2015 21:29:36 + Subject: [PATCH 07/11] ipa-adtrust-install: allow configuring of trust agents Trust agents are IPA master without Samba which can serve information about users from trusted forests. Such IPA masters cannot be used to configure trust but they can resolve AD users and groups for IPA clients enrolled to them. Since support from both FreeIPA and SSSD is needed to enable trust agent support, we currently only consider those IPA masters which have been upgraded to FreeIPA 4.2 or later. Part of https://fedorahosted.org/freeipa/ticket/4951 And also fixes https://fedorahosted.org/freeipa/ticket/5004 which is more specific ticket for host principals. -- / Alexander Bokovoy signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Password vault
On 07/07/2015 10:51 AM, Jan Cholasta wrote: Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a): Here is the rebased patch for vault access control. LGTM, except: @@ -356,6 +386,13 @@ class vault(LDAPObject): { 'objectclass': ['nsContainer'], 'cn': rdn['cn'], +'aci': +'(targetfilter=(objectClass=ipaVault))' + +'(version 3.0; ' + +'acl User can manage private vaults; ' + +'allow(read, search, compare, add, delete) ' + +'userdn=ldap:///%s;;)' +% owner_dn }) # if entry can be added, return I don't think dynamically creating ACIs with hardcoded userdn is something we want to do. This should be handled by a single ACI in cn=vaults. +1. Single ACI like +default: aci: (targetfilter=(objectClass=ipaVault))(version 3.0; acl Vault owners can manage the vault; allow(read, search, compare, write) userattr=owner#USERDN;) you already have there is more preferred. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] error handling in httpd.service and ipa-httpd-kdcproxy
On 2015-07-07 15:41, Simo Sorce wrote: On Tue, 2015-07-07 at 08:48 -0400, Nathaniel McCallum wrote: On Jul 6, 2015, at 11:35 AM, Christian Heimes chei...@redhat.com wrote: Hello, I like to ask for your opinion regarding the pre-exec hook 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error cases like LDAP connection timeout more gracefully. At the moment any error causes the script to return a non-zero exit code. This breaks the service and apparently also offline RPM upgrades. How should I handle error cases? I can change httpd.service to simply ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an invalid state. I could modify the script to catch connection errors and to disable kdcproxy in case of an error. The options are: 1) httpd.service ignores exit code of ipa-httpd-kdcproxy 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a connection error 3) 1 + 2 What do you think? If ipa-httpd-kdcproxy cannot contact LDAP, kdcproxy MUST NOT be enabled. So #2. However, ipa-httpd-kdcproxy should leave error codes to real catastrophic failures and http.service should be aware of these. So not #1. Nathaniel IMO it is ok for httpd to fail to start if the kdc-proxy cannot contact LDAP, because other stuff will fail too if that's the case anyway. In fact I had to change my replica promotion patches to account for this as it was failing here, for various reasons, on one restart during the install. :-) Without LDAP non of the IPA services in Apache are usable. From that perspective it doesn't make much of a difference. However Alexander is worried about a different thing. When LDAP isn't running or GSSAPI fails, then the service can't be restarted and offline RPM update fails. We can either fix the offline update problem in the spec file (ignore systemctl failures) or in the ipa-httpd-kdcproxy script. Since my script is new and changes behavior, I'm reluctant to say that I'm to blame. :) Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 004 Improve error handling in ipa-httpd-kdcproxy
This LGTM. However, I’ll let Alexander give the ACK. On Jul 7, 2015, at 10:11 AM, Christian Heimes chei...@redhat.com wrote: Hi, the patch addresses the error handling of ipa-httpd-kdcproxy as discussed in the other thread. Christian freeipa-cheimes-0004-Improve-error-handling-in-ipa-httpd-kdcproxy.patch-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] error handling in httpd.service and ipa-httpd-kdcproxy
On Tue, 2015-07-07 at 08:48 -0400, Nathaniel McCallum wrote: On Jul 6, 2015, at 11:35 AM, Christian Heimes chei...@redhat.com wrote: Hello, I like to ask for your opinion regarding the pre-exec hook 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error cases like LDAP connection timeout more gracefully. At the moment any error causes the script to return a non-zero exit code. This breaks the service and apparently also offline RPM upgrades. How should I handle error cases? I can change httpd.service to simply ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an invalid state. I could modify the script to catch connection errors and to disable kdcproxy in case of an error. The options are: 1) httpd.service ignores exit code of ipa-httpd-kdcproxy 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a connection error 3) 1 + 2 What do you think? If ipa-httpd-kdcproxy cannot contact LDAP, kdcproxy MUST NOT be enabled. So #2. However, ipa-httpd-kdcproxy should leave error codes to real catastrophic failures and http.service should be aware of these. So not #1. Nathaniel IMO it is ok for httpd to fail to start if the kdc-proxy cannot contact LDAP, because other stuff will fail too if that's the case anyway. In fact I had to change my replica promotion patches to account for this as it was failing here, for various reasons, on one restart during the install. :-) Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 145-148] ipa-kdb: add unit-test for filter_logon_info()
On Tue, May 26, 2015 at 01:36:35PM +0200, Martin Kosek wrote: On 05/26/2015 01:33 PM, Sumit Bose wrote: Hi, these patches add some unit tests and some additional improvements related to the issues described in https://bugzilla.redhat.com/show_bug.cgi?id=1222475 . The original issue is fixed by a patch from Alexander attached to the ticket. The first patch converts the existing check-based test to cmocka. If I see it correctly all check-based test are converted now. Cool! Before pushing, we should also reference ticket https://fedorahosted.org/freeipa/ticket/4922 in the patch (no need to rebase right now). The second adds tests for filter_logon_info() where the original issue occurred. The wrong behavior in filter_logon_info() caused a crash in dom_sid_string() which is made a bit more robust together with string_to_sid() in the 3rd patch. The last patch add unit tests for those two calls as well. New version rebased on one-way trust patches attached. Please note that the unit-test will fail with the initial version of the one-way trust patches which does not allow an empty group list in the PAC. bye, Sumit From 4a31cfdd848e0ef51ee32817e634340d1e90c97f Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Wed, 20 May 2015 18:31:19 +0200 Subject: [PATCH 145/148] ipa-kdb: convert test to cmocka --- daemons/ipa-kdb/Makefile.am | 6 +- daemons/ipa-kdb/tests/ipa_kdb_tests.c | 129 -- 2 files changed, 48 insertions(+), 87 deletions(-) diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am index 80747491f8315a9cb0b38965423ba5d160946278..a4ea366b01b248d3f0fbc0b694e02d00c2e4c3d1 100644 --- a/daemons/ipa-kdb/Makefile.am +++ b/daemons/ipa-kdb/Makefile.am @@ -55,7 +55,7 @@ ipadb_la_LIBADD = \ $(NSS_LIBS) \ $(NULL) -if HAVE_CHECK +if HAVE_CMOCKA TESTS = ipa_kdb_tests check_PROGRAMS = ipa_kdb_tests endif @@ -73,9 +73,9 @@ ipa_kdb_tests_SOURCES =\ ipa_kdb_audit_as.c \ $(KRB5_UTIL_SRCS) \ $(NULL) -ipa_kdb_tests_CFLAGS = $(CHECK_CFLAGS) +ipa_kdb_tests_CFLAGS = $(CMOCKA_CFLAGS) ipa_kdb_tests_LDADD = \ - $(CHECK_LIBS) \ + $(CMOCKA_LIBS) \ $(KRB5_LIBS)\ $(LDAP_LIBS)\ $(NDRPAC_LIBS) \ diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c index e1ae06a6e359e65873241116581f028f1a4e1bf3..1ff1cd49a4e409545ee908f0f7842520ae82e0a0 100644 --- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c +++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c @@ -1,49 +1,30 @@ -/** BEGIN COPYRIGHT BLOCK - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see http://www.gnu.org/licenses/. - * - * Additional permission under GPLv3 section 7: - * - * In the following paragraph, GPL means the GNU General Public - * License, version 3 or any later version, and Non-GPL Code means - * code that is governed neither by the GPL nor a license - * compatible with the GPL. - * - * You may link the code of this Program with Non-GPL Code and convey - * linked combinations including the two, provided that such Non-GPL - * Code only links to the code of this Program through those well - * defined interfaces identified in the file named EXCEPTION found in - * the source code files (the Approved Interfaces). The files of - * Non-GPL Code may instantiate templates or use macros or inline - * functions from the Approved Interfaces without causing the resulting - * work to be covered by the GPL. Only the copyright holders of this - * Program may make changes or additions to the list of Approved - * Interfaces. - * - * Authors: - * Sumit Bose sb...@redhat.com - * - * Copyright (C) 2013 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ +/* +Authors: +Sumit Bose sb...@redhat.com -#include check.h -#include stdlib.h +Copyright (C) 2015 Red Hat + +ipa-kdb tests + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +
[Freeipa-devel] [PATCH] 004 Improve error handling in ipa-httpd-kdcproxy
Hi, the patch addresses the error handling of ipa-httpd-kdcproxy as discussed in the other thread. Christian From 85dc0cc3f597accdee6f6de9d7b4d41b2173a8d9 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Tue, 7 Jul 2015 16:05:48 +0200 Subject: [PATCH] Improve error handling in ipa-httpd-kdcproxy The pre start script 'ipa-httpd-kdcproxy' for httpd.service now handles connection and authentication errors more gracefully. If the script is not able to conenct to LDAP, it only prints a warning and exits with status code 0. All other errors are still reported as fatal error and result in a non-zero exit code. This fixes a problem with offline RPM updates. A restart of Apache no longer fails when LDAP is not running. --- install/tools/ipa-httpd-kdcproxy | 75 +--- 1 file changed, 55 insertions(+), 20 deletions(-) diff --git a/install/tools/ipa-httpd-kdcproxy b/install/tools/ipa-httpd-kdcproxy index c71f9cccfe0c05e1484aac7cfcd6801050ed51ab..60b22f2cc321d416871c74f3b4d580594c186a85 100755 --- a/install/tools/ipa-httpd-kdcproxy +++ b/install/tools/ipa-httpd-kdcproxy @@ -37,8 +37,26 @@ DEBUG = False TIME_LIMIT = 2 -class CheckError(Exception): -An unrecoverable error has occured +class Error(Exception): +Base error class + + +class ConfigFileError(Error): +Something is wrong with the config file + + +class CheckError(Error): +An unrecoverable error has occured + +The exit code is 0. + + + +class FatalError(Error): +A fatal error has occured + +Fatal errors cause the command to exit with a non-null exit code. + class KDCProxyConfig(object): @@ -64,14 +82,16 @@ class KDCProxyConfig(object): self.con.ldapi = True self.con.do_bind(timeout=self.time_limit) except errors.NetworkError as e: -msg = 'Failed to get setting from dirsrv: %s' % e -self.log.exception(msg) +msg = 'Unable to connect to dirsrv: %s' % e +raise CheckError(msg) +except errors.AuthorizationError as e: +msg = 'Authorization error: %s' % e raise CheckError(msg) except Exception as e: msg = ('Unknown error while retrieving setting from %s: %s' % (self.ldap_uri, e)) self.log.exception(msg) -raise CheckError(msg) +raise FatalError(msg) def _find_entry(self, dn, attrs, filter, scope=IPAdmin.SCOPE_BASE): Find an LDAP entry, handles NotFound and Limit @@ -87,7 +107,7 @@ class KDCProxyConfig(object): msg = ('Unknown error while retrieving setting from %s: %s' % (self.ldap_uri, e)) self.log.exception(msg) -raise CheckError(msg) +raise FatalError(msg) return entries[0] def is_host_enabled(self): @@ -105,19 +125,21 @@ class KDCProxyConfig(object): if not os.path.exists(self.conflink): return False if not os.path.islink(self.conflink): -raise CheckError('%s' already exists, but it is not a symlink % - self.conflink) +raise ConfigFileError( +'%s' already exists, but it is not a symlink +% self.conflink) dest = os.readlink(self.conflink) if dest != self.conf: -raise CheckError('%s' points to '%s', expected '%s' - % (self.conflink, dest, self.conf)) +raise ConfigFileError( +'%s' points to '%s', expected '%s' +% (self.conflink, dest, self.conf)) return True def create_symlink(self): Create symlink to enable KDC proxy support try: valid = self.validate_symlink() -except CheckError as e: +except ConfigFileError as e: self.log.warn(Cannot enable KDC proxy: %s % e) return False @@ -165,16 +187,29 @@ class KDCProxyConfig(object): def main(debug=DEBUG, time_limit=TIME_LIMIT): # initialize API without file logging if not api.isdone('bootstrap'): -api.bootstrap(context='kdcproxyshim', log=None, debug=debug) +api.bootstrap(context='ipa-httpd-kdcproxy', log=None, debug=debug) standard_logging_setup(verbose=True, debug=debug) -with KDCProxyConfig(time_limit) as cfg: -if cfg.is_host_enabled(): -if cfg.create_symlink(): -api.log.info('KDC proxy enabled') -else: -if cfg.remove_symlink(): -api.log.info('KDC proxy disabled') +try: +cfg = KDCProxyConfig(time_limit) +with cfg: +if cfg.is_host_enabled(): +if cfg.create_symlink(): +api.log.info('KDC proxy enabled') +return 0 +else: +if cfg.remove_symlink(): +api.log.info('KDC proxy
Re: [Freeipa-devel] [PATCH 144] extdom: add unit-test for get_user_grouplist()
On Tue, May 26, 2015 at 02:47:02PM +0300, Alexander Bokovoy wrote: On Tue, 26 May 2015, Sumit Bose wrote: On Tue, May 26, 2015 at 01:24:30PM +0200, Petr Vobornik wrote: On 05/26/2015 01:21 PM, Sumit Bose wrote: Hi, this tests should have gone together with c1114ef82516002de08e004a930b5ba4a1791b25 but got lost somehow during the bugzilla processing. bye, Sumit So it has been acked? And we can push it? I have to admit that I'm not sure, there were just to many related tickets. Alexander, do you remember seeing this patch? If not, I think it would be good if someone can review it. Since it is only a unit-test, it is not urgent. I've seen this patch and I thought I've acked it by the time... New version rebased on one-way trust patches is attached. bye, Sumit -- / Alexander Bokovoy From 5b5c9250416bf1e55a453c5430ac6be914054aa9 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Thu, 26 Feb 2015 14:08:06 +0100 Subject: [PATCH 144/148] extdom: add unit-test for get_user_grouplist() --- .../ipa-extdom-extop/ipa_extdom.h |2 + .../ipa-extdom-extop/ipa_extdom_cmocka_tests.c | 41 + .../ipa-extdom-extop/ipa_extdom_common.c |4 +- .../ipa-extdom-extop/test_data/group | 1000 4 files changed, 1045 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h index 65dd43ea35726db6231386a0fcbba9be1bd71412..a77711977186b702caafa2729dc13090c6031791 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h @@ -185,6 +185,8 @@ int getgrnam_r_wrapper(size_t buf_max, const char *name, struct group *grp, char **_buf, size_t *_buf_len); int getgrgid_r_wrapper(size_t buf_max, gid_t gid, struct group *grp, char **_buf, size_t *_buf_len); +int get_user_grouplist(const char *name, gid_t gid, + size_t *_ngroups, gid_t **_groups); int pack_ber_sid(const char *sid, struct berval **berval); int pack_ber_name(const char *domain_name, const char *name, struct berval **berval); diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c index 42d588d08a96f8a26345f85aade9523e05f6f56e..ec553fe62c27738f258defc267fe761c72157df0 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c @@ -213,6 +213,46 @@ void test_getgrgid_r_wrapper(void **state) free(buf); } +void test_get_user_grouplist(void **state) +{ +int ret; +size_t ngroups; +gid_t *groups; +size_t c; + +/* This is a bit odd behaviour of getgrouplist() it does not check if the + * user exists, only if memberships of the user can be found. */ +ret = get_user_grouplist(non_exisiting_user, 23456, ngroups, groups); +assert_int_equal(ret, LDAP_SUCCESS); +assert_int_equal(ngroups, 1); +assert_int_equal(groups[0], 23456); +free(groups); + +ret = get_user_grouplist(member0001, 23456, ngroups, groups); +assert_int_equal(ret, LDAP_SUCCESS); +assert_int_equal(ngroups, 3); +assert_int_equal(groups[0], 23456); +assert_int_equal(groups[1], 1); +assert_int_equal(groups[2], 2); +free(groups); + +ret = get_user_grouplist(member0003, 23456, ngroups, groups); +assert_int_equal(ret, LDAP_SUCCESS); +assert_int_equal(ngroups, 2); +assert_int_equal(groups[0], 23456); +assert_int_equal(groups[1], 2); +free(groups); + +ret = get_user_grouplist(user_big, 23456, ngroups, groups); +assert_int_equal(ret, LDAP_SUCCESS); +assert_int_equal(ngroups, 1001); +assert_int_equal(groups[0], 23456); +for (c = 1; c ngroups; c++) { +assert_int_equal(groups[c], 2 + c); +} +free(groups); +} + struct test_data { struct extdom_req *req; struct ipa_extdom_ctx *ctx; @@ -398,6 +438,7 @@ int main(int argc, const char *argv[]) unit_test(test_getpwuid_r_wrapper), unit_test(test_getgrnam_r_wrapper), unit_test(test_getgrgid_r_wrapper), +unit_test(test_get_user_grouplist), unit_test_setup_teardown(test_set_err_msg, extdom_req_setup, extdom_req_teardown), unit_test_setup_teardown(test_encode, diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index b2e690471cd045154454a26aa6756c2628bbc262..f5905c78e5f6eb635fcd0acf0afeda3bdb3b9baa 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -400,8 +400,8 @@ int check_request(struct
Re: [Freeipa-devel] [PATCH 0046] add option to skip client API version check and proceed at user's own risk
Dne 8.7.2015 v 00:37 Tomas Babej napsal(a): On 07/07/2015 07:49 PM, Martin Basti wrote: On 03/07/15 16:41, Martin Babinsky wrote: On 07/02/2015 01:58 PM, Martin Babinsky wrote: First attempt at https://fedorahosted.org/freeipa/ticket/4768 Attaching reworked patch. ACK -- Martin Basti Pushed to master: ea7f392bb98c1f1c4558ec5d6e84ee7a7c613474 NACK! This won't work, as it breaks capabilities. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0051] Clear SSSD caches when uninstalling the client
On 06/30/2015 05:40 PM, Simo Sorce wrote: On Tue, 2015-06-30 at 16:10 +0200, Martin Basti wrote: On 30/06/15 15:18, Martin Basti wrote: On 30/06/15 14:47, Simo Sorce wrote: On Tue, 2015-06-30 at 13:19 +0200, Tomas Babej wrote: On 06/30/2015 01:08 PM, Martin Basti wrote: On 30/06/15 13:00, Tomas Babej wrote: On 06/29/2015 03:50 PM, Martin Basti wrote: On 29/06/15 13:46, Jakub Hrozek wrote: On Fri, Jun 05, 2015 at 11:31:54AM -0600, Gabe Alford wrote: Thanks. Updated patch attached. On Fri, Jun 5, 2015 at 9:53 AM, Jakub Hrozek jhro...@redhat.com wrote: On Fri, Jun 05, 2015 at 09:46:05AM -0600, Gabe Alford wrote: How should https://www.redhat.com/archives/freeipa-users/2015-June/msg00116.html be handled where the user cleared out the db cache? Ah, I confused that one with another issue Jan Pazdziora had, which was incidentally about client uninstall as well. In that case, you can just remove the single ldb file that corresponds to the domain that the client is leaving. Maybe it would be safer to mv the files instead of remove them, but I guess if you run --uninstall, you really want just to purge everything.. btw do the ipa installer tools support multiple domains at all? -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From 40f7c3780baaf0b42d10c94c8527c9359a42247f Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Fri, 5 Jun 2015 11:27:46 -0600 Subject: [PATCH] Clear SSSD caches when uninstalling the client https://fedorahosted.org/freeipa/ticket/5049 Conceptually LGTM, but I haven't tested the patch. ACK, I did testing. Pushed to master: 37729936dd6fe9c3396cbb8a682a4674af8b5537 For ipa-4-1 the patch requires a rebase. Rebased patch for ipa-4-1 attached. Pushed to ipa-4-1: 222427cb37a037f24ca76a9bcf614a2711a2ba96 This patch break ipa-client-install --uninstall when the first part of sssd uninstall fails, and exception is thrown and we 'pass', but then domain is not set and we use it. Please revert or fix it. Simo. I will fix it. Fix attached. Tested on my server and it seem to work correctly. Code-wise also LGTM. ACK. Simo. Pushed to master: 6fa123447f8acfbbdb442a1cbac38997a8e81208 Pushed to ipa-4-1: 56db66371eaa4995fa2a672663d9b8ff1520f63d -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 004 Improve error handling in ipa-httpd-kdcproxy
On Tue, 07 Jul 2015, Nathaniel McCallum wrote: This LGTM. However, I’ll let Alexander give the ACK. Looks good for me too. -- / Alexander Bokovoy signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches
On Tue, 07 Jul 2015, Alexander Bokovoy wrote: Hi, attached are patches to introduce one-way trust support and few more to fix currently outstanding trust-related bugs. More details are in the commit messages. For oddjobd-activated helper, if you want to test the one-way trust setup, you need to put SELinux into permissive. We have bugs for both Fedora and RHEL to add the policy (https://bugzilla.redhat.com/show_bug.cgi?id=1238163 for RHEL7), it is in works. Updated patch 0181 after discussion with Simo and Sumit about empty rid array. -- / Alexander Bokovoy From e5b073d0a4cb75ef79eb199352f95f29594a4740 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Thu, 28 May 2015 08:33:51 + Subject: [PATCH 02/11] ipa-kdb: filter out group membership from MS-PAC for exact SID matches too When incoming SID blacklist contains exact SIDs of users and groups, attempt to filter them out as well, according to [MS-PAC] 4.1.1.2. Note that we treat user's SID and primary group RID filtering as violation of the KDC policy because the resulting MS-PAC will have no user SID or primary group and thus will be invalid. For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1 it is OK to have empty group RIDs array as GroupCount SHOULD be equal to Groups.MembershipCount returned by SamrGetGroupsForUser [MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty. Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 100 +++- 1 file changed, 99 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 390111f..b1490ef 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1317,6 +1317,22 @@ static void filter_logon_info_log_message(struct dom_sid *sid) } } +static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid) +{ +char *domstr = NULL; + +domstr = dom_sid_string(NULL, sid); +if (domstr) { +krb5_klog_syslog(LOG_ERR, PAC filtering issue: SID [%s-%d] is not allowed + from a trusted source and will be excluded., domstr, rid); +talloc_free(domstr); +} else { +krb5_klog_syslog(LOG_ERR, PAC filtering issue: SID is not allowed + from a trusted source and will be excluded. + Unable to allocate memory to display SID.); +} +} + static krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx, krb5_data realm, @@ -1328,9 +1344,21 @@ static krb5_error_code filter_logon_info(krb5_context context, * attempt at getting us to sign fake credentials with the help of a * compromised trusted realm */ +/* NOTE: there are two outcomes from filtering: + * REJECT TICKET -- ticket is rejected if domain SID of + * the principal with MS-PAC is filtered out or + * its primary group RID is filtered out + * + * REMOVE SID-- SIDs are removed from the list of SIDs associated + * with the principal if they are filtered out + * This applies also to secondary RIDs of the principal + * if domain_sid-secondary RID is filtered out + */ + struct ipadb_context *ipactx; struct ipadb_adtrusts *domain; -int i, j, k, count; +int i, j, k, l, count; +uint32_t rid; bool result; char *domstr = NULL; @@ -1377,6 +1405,76 @@ static krb5_error_code filter_logon_info(krb5_context context, } } +/* Check if this user's SIDs membership is filtered too */ +for(k = 0; k domain-len_sid_blacklist_incoming; k++) { +/* Short-circuit if there are no RIDs. This may happen if we filtered everything already. + * In normal situation there would be at least primary gid as RID in the RIDs array + * but if we filtered out the primary RID, this MS-PAC is invalid */ +count = info-info-info3.base.groups.count; +result = dom_sid_is_prefix(info-info-info3.base.domain_sid, + domain-sid_blacklist_incoming[k]); +if (result) { +i = 0; +j = 0; +if (domain-sid_blacklist_incoming[k].num_auths - info-info-info3.base.domain_sid-num_auths != 1) { +krb5_klog_syslog(LOG_ERR, Incoming SID blacklist element matching domain [%s with SID %s] + has more than one RID component. Invalid check skipped., + domain-domain_name, domain-domain_sid); +break; +} +rid = domain-sid_blacklist_incoming[k].sub_auths[domain-sid_blacklist_incoming[k].num_auths - 1]; +if (rid ==
Re: [Freeipa-devel] [PATCH] 004 Improve error handling in ipa-httpd-kdcproxy
On 07/07/2015 04:28 PM, Alexander Bokovoy wrote: On Tue, 07 Jul 2015, Nathaniel McCallum wrote: This LGTM. However, I’ll let Alexander give the ACK. Looks good for me too. Pushed to master: 25d1afdc54284c6bcf1caf08beae2e66ceb7f4e8 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Password vault
- Original Message - On 07/07/2015 10:51 AM, Jan Cholasta wrote: Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a): Here is the rebased patch for vault access control. LGTM, except: @@ -356,6 +386,13 @@ class vault(LDAPObject): { 'objectclass': ['nsContainer'], 'cn': rdn['cn'], +'aci': +'(targetfilter=(objectClass=ipaVault))' + +'(version 3.0; ' + +'acl User can manage private vaults; ' + +'allow(read, search, compare, add, delete) ' + +'userdn=ldap:///%s;;)' +% owner_dn }) # if entry can be added, return I don't think dynamically creating ACIs with hardcoded userdn is something we want to do. This should be handled by a single ACI in cn=vaults. +1. Single ACI like +default: aci: (targetfilter=(objectClass=ipaVault))(version 3.0; acl Vault owners can manage the vault; allow(read, search, compare, write) userattr=owner#USERDN;) you already have there is more preferred. New patch attached. For this to work the container itself needs an 'owner' attribute, so I changed the nsContainer into ipaVaultContainer. -- Endi S. Dewata From 087f36b888e068ee732af6e0a2c24b1d50849ccd Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Fri, 17 Oct 2014 12:05:34 -0400 Subject: [PATCH] Added vault access control. New LDAP ACIs have been added to allow vault owners to manage the vaults and to allow members to access the vaults. New CLIs have been added to manage the owner and member list. The LDAP schema has been updated as well. https://fedorahosted.org/freeipa/ticket/3872 --- API.txt | 92 +++ VERSION | 4 +- install/share/60basev3.ldif | 3 +- install/share/vault.update| 15 +++- ipalib/plugins/vault.py | 118 -- ipatests/test_xmlrpc/test_vault_plugin.py | 27 +-- 6 files changed, 226 insertions(+), 33 deletions(-) diff --git a/API.txt b/API.txt index 99fa528733200fc3d797a9847b1d6df2188b92d5..98eaee8ce8b2804a6d34e42c3eff26ddb3851963 100644 --- a/API.txt +++ b/API.txt @@ -5422,27 +5422,58 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui option: Str('service?') option: Str('setattr*', cli_name='setattr', exclude='webui') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) command: vault_add_internal -args: 1,10,3 +args: 1,11,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) option: Bytes('ipavaultpublickey', attribute=True, cli_name='public_key', multivalue=False, required=False) option: Bytes('ipavaultsalt', attribute=True, cli_name='salt', multivalue=False, required=False) option: Str('ipavaulttype', attribute=True, autofill=True, cli_name='type', default=u'standard', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) +command: vault_add_member +args: 1,9,3 +arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service?') +option: Flag('shared?', autofill=True, default=False) +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('username?', cli_name='user') +option:
Re: [Freeipa-devel] [PATCH 0054] cermonger: Use private unix socket when DBus SystemBus is not, available.
On 03/07/15 08:46, Martin Kosek wrote: On 07/03/2015 08:41 AM, Jan Cholasta wrote: Dne 2.7.2015 v 14:34 David Kupka napsal(a): On 01/07/15 16:31, David Kupka wrote: Updated patch attached. Client install works, but uninstall does not: # ipa-client-install --uninstall -U certmonger failed to start: Command ''/bin/systemctl' 'start' 'certmonger.service'' returned non-zero exit status 1 certmonger failed to stop tracking certificate: Failed to start certmonger: Timeouted 2015-07-03 02:38:15 [17242] Error reading PIN from /etc/ipa/nssdb/pwdfile.txt: No such file or directory. Failed to start certmonger: Timeouted The patch needs a rebase. Also, Timeouted is not a word, try Timed out instead :-) Updated patch attached. Also attaching patch that removes unneeded certmonger (re)starting and DBus starting from ipa-client-install. -- David Kupka From e4a04d2f1c6ceb73306d5c417172eba38257dd11 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Tue, 7 Jul 2015 15:49:27 +0200 Subject: [PATCH] cermonger: Use private unix socket when DBus SystemBus is not available. --- ipaplatform/base/paths.py | 4 ++ ipapython/certmonger.py | 128 -- 2 files changed, 94 insertions(+), 38 deletions(-) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 9fef3e7a1351dd42895fe560bb3c1bc5a1c852b4..5756040172126438d42275b734f4d766d53048fe 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -348,3 +348,7 @@ class BasePathNamespace(object): BAK2DB = '/usr/sbin/bak2db' DB2BAK = '/usr/sbin/db2bak' KDCPROXY_CONFIG = '/etc/ipa/kdcproxy/kdcproxy.conf' +CERTMONGER = '/usr/sbin/certmonger' + + +path_namespace = BasePathNamespace diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index 4b85da08bb943d6b9f0091a1d2acc36b18d6..9914481a6c9ceccdfbfebcd294a60c827acf801f 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -27,6 +27,8 @@ import sys import time import dbus import shlex +import subprocess +import tempfile from ipapython import ipautil from ipapython import dogtag from ipapython.ipa_log_manager import * @@ -35,6 +37,7 @@ from ipaplatform import services DBUS_CM_PATH = '/org/fedorahosted/certmonger' DBUS_CM_IF = 'org.fedorahosted.certmonger' +DBUS_CM_NAME = 'org.fedorahosted.certmonger' DBUS_CM_REQUEST_IF = 'org.fedorahosted.certmonger.request' DBUS_CM_CA_IF = 'org.fedorahosted.certmonger.ca' DBUS_PROPERTY_IF = 'org.freedesktop.DBus.Properties' @@ -44,7 +47,7 @@ class _cm_dbus_object(object): Auxiliary class for convenient DBus object handling. -def __init__(self, bus, object_path, object_dbus_interface, +def __init__(self, bus, parent, object_path, object_dbus_interface, parent_dbus_interface=None, property_interface=False): bus - DBus bus object, result of dbus.SystemBus() or dbus.SessionBus() @@ -60,6 +63,7 @@ class _cm_dbus_object(object): if parent_dbus_interface is None: parent_dbus_interface = object_dbus_interface self.bus = bus +self.parent = parent self.path = object_path self.obj_dbus_if = object_dbus_interface self.parent_dbus_if = parent_dbus_interface @@ -69,36 +73,83 @@ class _cm_dbus_object(object): self.prop_if = dbus.Interface(self.obj, DBUS_PROPERTY_IF) -def _start_certmonger(): +class _certmonger(_cm_dbus_object): -Start certmonger daemon. If it's already running systemctl just ignores -the command. +Create a connection to certmonger. +By default use SystemBus. When not available use private connection +over Unix socket. +This solution is really ugly and should be removed as soon as DBus +SystemBus is available at system install time. -if not services.knownservices.certmonger.is_running(): +_bus = None +_proc = None +timeout = 300 + +def _start_private_conn(self): +sock_filename = os.path.join(tempfile.mkdtemp(), 'certmonger') +self._proc = subprocess.Popen([paths.CERTMONGER, '-n', '-L', '-P', + sock_filename]) +for t in range(0, self.timeout, 5): +if os.path.exists(sock_filename): +return unix:path=%s % sock_filename +time.sleep(5) +self._stop_private_conn() +raise RuntimeError(Failed to start certmonger: Timed out) + +def _stop_private_conn(self): +if self._proc: +retcode = self._proc.poll() +if retcode is not None: +return +self._proc.terminate() +for t in range(0, self.timeout, 5): +retcode = self._proc.poll() +if retcode is not None: +return +time.sleep(5) +root_logger.error(Failed to stop certmonger.) + +def __del__(self): +