[Freeipa-devel] [PATCH 463] spec file: Update minimal versions of required packages
Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/5103. Honza -- Jan Cholasta From cc2393aef3500761e81135192278a7780b1ac03b Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 8 Jul 2015 11:18:27 + Subject: [PATCH] spec file: Update minimal versions of required packages https://fedorahosted.org/freeipa/ticket/5103 --- freeipa.spec.in | 12 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 415a875..908287a 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -77,7 +77,7 @@ BuildRequires: pylint = 1.0 BuildRequires: python-polib BuildRequires: libipa_hbac-python BuildRequires: python-memcached -BuildRequires: sssd = 1.9.2 +BuildRequires: sssd = 1.13.0 BuildRequires: python-lxml BuildRequires: python-pyasn1 = 0.0.9a BuildRequires: python-qrcode-core = 5.0.0 @@ -151,7 +151,7 @@ Requires: python-kdcproxy = 0.3 Requires: zip Requires: policycoreutils = 2.1.12-5 Requires: tar -Requires(pre): certmonger = 0.76.8 +Requires(pre): certmonger = 0.78 Requires(pre): 389-ds-base = 1.3.4.0 Requires: fontawesome-fonts Requires: open-sans-fonts @@ -206,9 +206,7 @@ Requires: samba-winbind Requires: libsss_idmap Requires: libsss_nss_idmap-python Requires: oddjob -%if (0%{?fedora} = 22) Requires: python-sss -%endif # We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5 # on the installes where server-trust-ad subpackage is installed because # IPA AD trusts cannot be used at the same time with the locator plugin @@ -242,9 +240,9 @@ Requires: pam_krb5 Requires: wget Requires: libcurl = 7.21.7-2 Requires: xmlrpc-c = 1.27.4 -Requires: sssd = 1.12.3 +Requires: sssd = 1.13.0 Requires: python-sssdconfig -Requires: certmonger = 0.76.8 +Requires: certmonger = 0.78 Requires: nss-tools Requires: bind-utils Requires: oddjob-mkhomedir @@ -303,9 +301,7 @@ Requires: python-qrcode-core = 5.0.0 Requires: python-pyasn1 Requires: python-dateutil Requires: python-yubico = 1.2.3 -%if (0%{?fedora} = 22) Requires: python-sss-murmur -%endif Requires: wget Requires: dbus-python Requires: python-setuptools -- 2.1.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0277] Upgrade: Do not show upgrade failed message during RPM transaction when IPA is not installed
On 08/07/15 14:35, Jan Cholasta wrote: Hi, Dne 8.7.2015 v 12:58 Martin Basti napsal(a): Patch attached. Use self.log instead of root_logger. Otherwise ACK. Honza Updated patch attached. -- Martin Basti From 8b121d8e202d6b99e4cbffa690d9b05aaeb92cec Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 8 Jul 2015 12:19:58 +0200 Subject: [PATCH] Upgrade: Do not show upgrade failed message when IPA is not installed --- freeipa.spec.in | 2 +- ipaserver/install/ipa_server_upgrade.py | 5 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 415a875faf2ca1ada0d6a3b90d4f1d93d28eb8d1..7e1ad4615d78bba657f542d442732d2627709108 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -536,7 +536,7 @@ fi %posttrans server # This must be run in posttrans so that updates from previous # execution that may no longer be shipped are not applied. -/usr/sbin/ipa-server-upgrade --quiet /dev/null || echo IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. +/usr/sbin/ipa-server-upgrade --quiet /dev/null || : # Restart IPA processes. This must be also run in postrans so that plugins # and software is in consistent state diff --git a/ipaserver/install/ipa_server_upgrade.py b/ipaserver/install/ipa_server_upgrade.py index d0a839d0a316317622894e5b56896f91a9e29bb8..2ebdf9185f83c66b7ecc1b0155f98790e03186df 100644 --- a/ipaserver/install/ipa_server_upgrade.py +++ b/ipaserver/install/ipa_server_upgrade.py @@ -50,4 +50,9 @@ class ServerUpgrade(admintool.AdminTool): raise admintool.ScriptError(str(e)) def handle_error(self, exception): +if not isinstance(exception, SystemExit): +# do not log this message when ipa is not installed +self.log.error(IPA server upgrade failed: Inspect + /var/log/ipaupgrade.log and run command + ipa-server-upgrade manually.) return installutils.handle_error(exception, self.log_file_name) -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0046] add option to skip client API version check and proceed at user's own risk
On 08/07/15 13:08, Jan Cholasta wrote: Dne 8.7.2015 v 07:43 Jan Cholasta napsal(a): Dne 8.7.2015 v 00:37 Tomas Babej napsal(a): On 07/07/2015 07:49 PM, Martin Basti wrote: On 03/07/15 16:41, Martin Babinsky wrote: On 07/02/2015 01:58 PM, Martin Babinsky wrote: First attempt at https://fedorahosted.org/freeipa/ticket/4768 Attaching reworked patch. ACK -- Martin Basti Pushed to master: ea7f392bb98c1f1c4558ec5d6e84ee7a7c613474 NACK! This won't work, as it breaks capabilities. Fixed, see the attached patch. ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0277] Upgrade: Do not show upgrade failed message during RPM transaction when IPA is not installed
Hi, Dne 8.7.2015 v 12:58 Martin Basti napsal(a): Patch attached. Use self.log instead of root_logger. Otherwise ACK. Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0278] Fix API logging
log must be initilized before first usage in API, otherwise traceback is shown: # ipa -e random-nonexistent-key=1 user-find Traceback (most recent call last): File /bin/ipa, line 32, in module cli.run(api) File /usr/lib/python2.7/site-packages/ipalib/cli.py, line 1346, in run api.log.exception('%s: %s', e.__class__.__name__, str(e)) AttributeError: 'API' object has no attribute 'log' Patch attached. -- Martin Basti From e6f58d28036fbe7e58b32df0ffc9da70a54cba57 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 8 Jul 2015 14:13:19 +0200 Subject: [PATCH] Fix logging in API Setup log in API before first usage --- ipalib/plugable.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipalib/plugable.py b/ipalib/plugable.py index 2ce7acfd6c916000923500a1da077f49e68392d1..45b3463760965f1afdbe1145b3af9bcf4943def9 100644 --- a/ipalib/plugable.py +++ b/ipalib/plugable.py @@ -372,11 +372,11 @@ class API(ReadOnly): Initialize environment variables and logging. self.__doing('bootstrap') -self.env._bootstrap(**overrides) -self.env._finalize_core(**dict(DEFAULT_CONFIG)) self.log_mgr = log_mgr log = log_mgr.root_logger self.log = log +self.env._bootstrap(**overrides) +self.env._finalize_core(**dict(DEFAULT_CONFIG)) # Add the argument parser if not parser: -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 893 move session_logout command to ipalib/plugins directory
On 08/07/15 13:46, Petr Vobornik wrote: On 07/08/2015 01:20 PM, Martin Basti wrote: On 08/07/15 12:51, Martin Basti wrote: On 08/07/15 12:20, Petr Vobornik wrote: On 07/08/2015 10:37 AM, Petr Vobornik wrote: API refactoring caused that session_logout command was not registered. Commands in ipalib/plugins directory are automatically registered. ercategory User category the ACL applies to Added NO_CLI = True to hide the command in CLI. Works for me. -- Martin Basti NACK, It works but you should update API.txt Command session_logout in ipalib, not in API There are one or more new commands defined. Update API.txt and increment the minor version in VERSION. updated patch attached. ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 463] spec file: Update minimal versions of required packages
On Wed, 08 Jul 2015, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/5103. ACK. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 893 move session_logout command to ipalib/plugins directory
On 07/08/2015 01:20 PM, Martin Basti wrote: On 08/07/15 12:51, Martin Basti wrote: On 08/07/15 12:20, Petr Vobornik wrote: On 07/08/2015 10:37 AM, Petr Vobornik wrote: API refactoring caused that session_logout command was not registered. Commands in ipalib/plugins directory are automatically registered. ercategory User category the ACL applies to Added NO_CLI = True to hide the command in CLI. Works for me. -- Martin Basti NACK, It works but you should update API.txt Command session_logout in ipalib, not in API There are one or more new commands defined. Update API.txt and increment the minor version in VERSION. updated patch attached. -- Petr Vobornik From 20caa29033418617c94066e6b0f94fce0aba86d1 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 8 Jul 2015 10:32:54 +0200 Subject: [PATCH] move session_logout command to ipalib/plugins directory API refactoring caused that session_logout command was not registered. Commands in ipalib/plugins directory are automatically registered. --- API.txt | 4 VERSION | 4 ++-- ipalib/plugins/session.py | 31 +++ ipalib/session.py | 29 - 4 files changed, 37 insertions(+), 31 deletions(-) create mode 100644 ipalib/plugins/session.py diff --git a/API.txt b/API.txt index d4eb074bf3ca22b249e85336f21cb7a3c557f39d..c68bee94e3a9ed6182f6bd2152070222e32c7532 100644 --- a/API.txt +++ b/API.txt @@ -4201,6 +4201,10 @@ option: Str('version?', exclude='webui') output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) +command: session_logout +args: 0,1,1 +option: Str('version?', exclude='webui') +output: Output('result', None, None) command: sidgen_was_run args: 0,1,1 option: Str('version?', exclude='webui') diff --git a/VERSION b/VERSION index 38af6ec593cef90e03cfc532038c959ae23a45f5..f67ec791a278b568ee633bf6c65e5a2f5c389cc0 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=145 -# Last change: edewata - added vault access control +IPA_API_VERSION_MINOR=146 +# Last change: pvoborni - move session_logout to ipalib/plugins diff --git a/ipalib/plugins/session.py b/ipalib/plugins/session.py new file mode 100644 index ..3fd566d3224a13b5fbaa4450f02855329a13bc4c --- /dev/null +++ b/ipalib/plugins/session.py @@ -0,0 +1,31 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +from ipalib import Command +from ipalib.request import context +from ipalib.session import session_mgr +from ipalib.plugable import Registry + +register = Registry() + + +@register() +class session_logout(Command): +''' +RPC command used to log the current user out of their session. +''' +NO_CLI = True + +def execute(self, *args, **options): +session_data = getattr(context, 'session_data', None) +if session_data is None: +self.debug('session logout command: no session_data found') +else: +session_id = session_data.get('session_id') +self.debug('session logout command: session_id=%s', session_id) + +# Notifiy registered listeners +session_mgr.auth_mgr.logout(session_data) + +return dict(result=None) diff --git a/ipalib/session.py b/ipalib/session.py index 2f732b75c837b931c6b16ccfc535e11d7e4c..ec6c2081c65678dc1e75ab957564ace906b68252 100644 --- a/ipalib/session.py +++ b/ipalib/session.py @@ -26,7 +26,6 @@ from urllib2 import urlparse from text import _ from ipapython.ipa_log_manager import * from ipalib import api, errors -from ipalib import Command from ipaplatform.paths import paths from ipalib.krb_utils import * from ipapython.cookie import Cookie @@ -1278,32 +1277,4 @@ def release_ipa_ccache(ccache_name): else: raise ValueError('ccache scheme %s unsupported (%s)', scheme, ccache_name) - -#--- - -from ipalib.request import context - -class session_logout(Command): -''' -RPC command used to log the current user out of their session. -''' - -def execute(self, *args, **options): -session_data = getattr(context, 'session_data', None) -if session_data is None: -self.debug('session logout command: no session_data found') -else: -session_id = session_data.get('session_id') -self.debug('session logout command: session_id=%s', session_id) - -# Notifiy registered listeners -session_mgr.auth_mgr.logout(session_data) - -
[Freeipa-devel] [PATCH] 894-896 webui: certificate profiles and acls
add Web UI for new certificate objects [PATCH] 894 webui: certificate profiles [PATCH] 895 webui: caacl [PATCH] 896 webui: hide facet tab in certificate details facet -- Petr Vobornik From 4d3332098c72545bc4bb179e29ede7fcbd6bbb1e Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 8 Jul 2015 14:18:48 +0200 Subject: [PATCH] webui: hide facet tab in certificate details facet --- install/ui/src/freeipa/certificate.js | 1 + 1 file changed, 1 insertion(+) diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js index 146c71ef54704c2a813816bde39fc8eb2e96e75f..28d0407db319a4b72f0021c7d10a30418c2e498f 100755 --- a/install/ui/src/freeipa/certificate.js +++ b/install/ui/src/freeipa/certificate.js @@ -1135,6 +1135,7 @@ return { $type: 'details', $factory: IPA.cert.details_facet, no_update: true, +disable_facet_tabs: true, actions: [ 'cert_revoke', 'cert_restore' -- 2.4.3 From f993d9b8681cae681313dda06fa636956ed94188 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 8 Jul 2015 12:11:02 +0200 Subject: [PATCH] webui: caacl --- install/ui/doc/categories.json | 1 + install/ui/src/freeipa/app.js | 1 + install/ui/src/freeipa/certificate.js | 3 +- install/ui/src/freeipa/navigation/menu_spec.js | 5 + install/ui/src/freeipa/plugins/caacl.js| 379 + install/ui/test/data/ipa_init.json | 13 + ipalib/plugins/internal.py | 13 + 7 files changed, 414 insertions(+), 1 deletion(-) create mode 100644 install/ui/src/freeipa/plugins/caacl.js diff --git a/install/ui/doc/categories.json b/install/ui/doc/categories.json index 34ca7e839e2dfa354bbdeb37fdc30315a2a4f104..70b5666c062d9c5f8739e13ac3e82a74ab5249de 100644 --- a/install/ui/doc/categories.json +++ b/install/ui/doc/categories.json @@ -256,6 +256,7 @@ topology, user, plugins.api_browser, +plugins.caacl, plugins.certprofile, plugins.load, plugins.login, diff --git a/install/ui/src/freeipa/app.js b/install/ui/src/freeipa/app.js index 6efb6b0c04a2339c84a18c77d80a4a7486382b08..1057120c02c000e5c21ad62c1517ccb59115f0cc 100644 --- a/install/ui/src/freeipa/app.js +++ b/install/ui/src/freeipa/app.js @@ -29,6 +29,7 @@ define([ './aci', './automember', './automount', +'./plugins/caacl', './plugins/certprofile', './dns', './group', diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js index b2d740dcb74fc9b185a768d3675aea9527210040..146c71ef54704c2a813816bde39fc8eb2e96e75f 100755 --- a/install/ui/src/freeipa/certificate.js +++ b/install/ui/src/freeipa/certificate.js @@ -1024,7 +1024,8 @@ exp.facet_group = { label: '@i18n:tabs.cert', facets: { certificates: 'cert_search', -profiles: 'certprofile_search' +profiles: 'certprofile_search', +acls: 'caacl_search' } }; diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js index 713f205de1a06db255b559fbd2b6a7c7c340e18d..32bbd6aaab9e47854e74d26b7f23b89d8bfe7410 100644 --- a/install/ui/src/freeipa/navigation/menu_spec.js +++ b/install/ui/src/freeipa/navigation/menu_spec.js @@ -137,6 +137,11 @@ var nav = {}; entity: 'cert', facet: 'search', hidden: true +}, +{ +entity: 'caacl', +facet: 'search', +hidden: true } ] }, diff --git a/install/ui/src/freeipa/plugins/caacl.js b/install/ui/src/freeipa/plugins/caacl.js new file mode 100644 index ..06973da4deb601d88809709f6260f5f26a1b7f31 --- /dev/null +++ b/install/ui/src/freeipa/plugins/caacl.js @@ -0,0 +1,379 @@ +// +// Copyright (C) 2015 FreeIPA Contributors see COPYING for license +// + +define([ +'../ipa', +'../jquery', +'../phases', +'../reg', +'../certificate', +'../rule' +], +function(IPA, $, phases, reg, cert) { +/** + * caacl module + * @class plugins.caacl + * @singleton + */ +var caacl = IPA.caacl = { +remove_method_priority: IPA.config.default_priority - 1 +}; + +var make_caacl_spec = function() { +var spec = { +name: 'caacl', +facets: [ +{ +$type: 'search', +disable_facet_tabs: false, +tabs_in_sidebar: true, +tab_label: '@mo:caacl.label', +facet_groups: [cert.facet_group], +facet_group: 'certificates', +row_enabled_attribute:
[Freeipa-devel] [PATCH 0277] Upgrade: Do not show upgrade failed message during RPM transaction when IPA is not installed
Patch attached. -- Martin Basti From 5928be7850a773420e1d4e6e001aa225a5bdce17 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 8 Jul 2015 12:19:58 +0200 Subject: [PATCH] Upgrade: Do not show upgrade failed message when IPA is not installed --- freeipa.spec.in | 2 +- ipaserver/install/ipa_server_upgrade.py | 6 ++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 8fee33bd958fd375d3a0eb105611679170b0adba..e09e2f5e27f5905155487e84b5daa404a6c3b95f 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -535,7 +535,7 @@ fi %posttrans server # This must be run in posttrans so that updates from previous # execution that may no longer be shipped are not applied. -/usr/sbin/ipa-server-upgrade --quiet /dev/null || echo IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. +/usr/sbin/ipa-server-upgrade --quiet /dev/null || : # Restart IPA processes. This must be also run in postrans so that plugins # and software is in consistent state diff --git a/ipaserver/install/ipa_server_upgrade.py b/ipaserver/install/ipa_server_upgrade.py index d0a839d0a316317622894e5b56896f91a9e29bb8..511b224927b1db0ea5cbc2468ab233f76b081d91 100644 --- a/ipaserver/install/ipa_server_upgrade.py +++ b/ipaserver/install/ipa_server_upgrade.py @@ -7,6 +7,7 @@ import os from ipalib import api from ipaplatform.paths import paths from ipapython import admintool +from ipapython.ipa_log_manager import root_logger from ipaserver.install import installutils from ipaserver.install import server @@ -50,4 +51,9 @@ class ServerUpgrade(admintool.AdminTool): raise admintool.ScriptError(str(e)) def handle_error(self, exception): +if not isinstance(exception, SystemExit): +# do not log this message when ipa is not installed +root_logger.error(IPA server upgrade failed: Inspect + /var/log/ipaupgrade.log and run command + ipa-server-upgrade manually.) return installutils.handle_error(exception, self.log_file_name) -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0046] add option to skip client API version check and proceed at user's own risk
Dne 8.7.2015 v 07:43 Jan Cholasta napsal(a): Dne 8.7.2015 v 00:37 Tomas Babej napsal(a): On 07/07/2015 07:49 PM, Martin Basti wrote: On 03/07/15 16:41, Martin Babinsky wrote: On 07/02/2015 01:58 PM, Martin Babinsky wrote: First attempt at https://fedorahosted.org/freeipa/ticket/4768 Attaching reworked patch. ACK -- Martin Basti Pushed to master: ea7f392bb98c1f1c4558ec5d6e84ee7a7c613474 NACK! This won't work, as it breaks capabilities. Fixed, see the attached patch. -- Jan Cholasta From 5d9321d7a11bcb60ec2b1fde5bebe151932e3046 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 8 Jul 2015 06:21:02 + Subject: [PATCH] ipalib: Fix skip_version_check option This reverts commit ea7f392bb98c1f1c4558ec5d6e84ee7a7c613474. The option can be either set in IPA config file or specified as 'ipa -e skip_version_check=1 [COMMAND]'. https://fedorahosted.org/freeipa/ticket/4768 --- ipa-client/man/default.conf.5 | 3 +++ ipalib/frontend.py| 7 +-- ipalib/plugable.py| 8 +--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5 index e345e93..75b9f86 100644 --- a/ipa-client/man/default.conf.5 +++ b/ipa-client/man/default.conf.5 @@ -166,6 +166,9 @@ Specifies how the expiration of a session is computed. With \fBinactivity_timeou .B server hostname Specifies the IPA Server hostname. .TP +.B skip_version_check boolean +Skip client vs. server API version checking. Can lead to errors/strange behavior when newer clients talk to older servers. Use with caution. +.TP .B startup_timeout time in seconds Controls the amount of time waited when starting a service. The default value is 120 seconds. .TP diff --git a/ipalib/frontend.py b/ipalib/frontend.py index 3a59838..2ca3aae 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -26,6 +26,7 @@ from distutils import version from ipapython.version import API_VERSION from ipapython.ipa_log_manager import root_logger +from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES from base import NameSpace from plugable import Plugin from parameters import create_param, Param, Str, Flag, Password @@ -423,7 +424,9 @@ class Command(HasParam): version_provided = 'version' in options if version_provided: self.verify_client_version(unicode(options['version'])) -elif self.api.env.in_server or not self.api.env.skip_version_check: +elif self.api.env.skip_version_check and not self.api.env.in_server: +options['version'] = VERSION_WITHOUT_CAPABILITIES +else: options['version'] = API_VERSION params = self.args_options_2_params(*args, **options) self.debug( @@ -451,7 +454,7 @@ class Command(HasParam): ): ret['summary'] = self.get_summary_default(ret) if self.use_output_validation and (self.output or ret is not None): -self.validate_output(ret, options.get('version', API_VERSION)) +self.validate_output(ret, options['version']) return ret def soft_validate(self, values): diff --git a/ipalib/plugable.py b/ipalib/plugable.py index 269d580..2ce7acf 100644 --- a/ipalib/plugable.py +++ b/ipalib/plugable.py @@ -484,12 +484,6 @@ class API(ReadOnly): dest='fallback', help='Only use the server configured in /etc/ipa/default.conf' ) -parser.add_option( -'--skip-version-check', -action='store_true', -dest='skip_version_check', -help=optparse.SUPPRESS_HELP -) return parser @@ -509,7 +503,7 @@ class API(ReadOnly): pass overrides[str(key.strip())] = value.strip() for key in ('conf', 'debug', 'verbose', 'prompt_all', 'interactive', -'fallback', 'delegate', 'skip_version_check'): +'fallback', 'delegate'): value = getattr(options, key, None) if value is not None: overrides[key] = value -- 2.1.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 893 move session_logout command to ipalib/plugins directory
On 08/07/15 12:51, Martin Basti wrote: On 08/07/15 12:20, Petr Vobornik wrote: On 07/08/2015 10:37 AM, Petr Vobornik wrote: API refactoring caused that session_logout command was not registered. Commands in ipalib/plugins directory are automatically registered. Added NO_CLI = True to hide the command in CLI. Works for me. -- Martin Basti NACK, It works but you should update API.txt Command session_logout in ipalib, not in API There are one or more new commands defined. Update API.txt and increment the minor version in VERSION. -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 893 move session_logout command to ipalib/plugins directory
On 08/07/15 12:20, Petr Vobornik wrote: On 07/08/2015 10:37 AM, Petr Vobornik wrote: API refactoring caused that session_logout command was not registered. Commands in ipalib/plugins directory are automatically registered. Added NO_CLI = True to hide the command in CLI. Works for me. -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Meaning of two strings in plugins/service.py
2015-07-08 9:45 GMT+02:00 Petr Vobornik pvobo...@redhat.com: On 07/08/2015 09:31 AM, David Kupka wrote: On 05/07/15 11:25, Jérôme Fenal wrote: Hi, I stumbled upon those two following strings while translating into French, and just cannot figure out the meaning. Str('ipaallowedtoperform_read_keys', label=_('Failed allowed to retrieve keytab'), ), Str('ipaallowedtoperform_write_keys', label=_('Failed allowed to create keytab'), ), Would it be that failure is allowed while retrieving or creating keytab? Or...? Thanks for helping, Jérôme Hi Jérôme, I guess it should be Failed to allow retrieval/creation of keytab. But Petr (added) is author of this code and should know better. It's used in a following way (user abc does not exist): ipa host-allow-create-keytab vm-121.example.com --users=abc Host name: vm-121.example.com.com Principal name: host/vm-121.example@example.com Managed by: vm-121.example.com.com Failed allowed to create keytab: member user: abc: no such entry member group: member host: member host group: - Number of members added 0 - I.e., host groups, hosts, user groups, users who were not added as the ones who are allowed to to retrieve/create keytab. So I guess it'd be more Failed to allow retrieval/creation of keytab. Should I propose a patch to change the sentence? Regards, J. -- Jérôme Fenal -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 893 move session_logout command to ipalib/plugins directory
API refactoring caused that session_logout command was not registered. Commands in ipalib/plugins directory are automatically registered. -- Petr Vobornik From 7121a19c19f317093923bde1ecf142fa231d09ef Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 8 Jul 2015 10:32:54 +0200 Subject: [PATCH] move session_logout command to ipalib/plugins directory API refactoring caused that session_logout command was not registered. Commands in ipalib/plugins directory are automatically registered. --- ipalib/plugins/session.py | 30 ++ ipalib/session.py | 29 - 2 files changed, 30 insertions(+), 29 deletions(-) create mode 100644 ipalib/plugins/session.py diff --git a/ipalib/plugins/session.py b/ipalib/plugins/session.py new file mode 100644 index ..022f2bb2c36f27f459eea9070b12bd6be0bfd901 --- /dev/null +++ b/ipalib/plugins/session.py @@ -0,0 +1,30 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +from ipalib import Command +from ipalib.request import context +from ipalib.session import session_mgr +from ipalib.plugable import Registry + +register = Registry() + + +@register() +class session_logout(Command): +''' +RPC command used to log the current user out of their session. +''' + +def execute(self, *args, **options): +session_data = getattr(context, 'session_data', None) +if session_data is None: +self.debug('session logout command: no session_data found') +else: +session_id = session_data.get('session_id') +self.debug('session logout command: session_id=%s', session_id) + +# Notifiy registered listeners +session_mgr.auth_mgr.logout(session_data) + +return dict(result=None) diff --git a/ipalib/session.py b/ipalib/session.py index 2f732b75c837b931c6b16ccfc535e11d7e4c..ec6c2081c65678dc1e75ab957564ace906b68252 100644 --- a/ipalib/session.py +++ b/ipalib/session.py @@ -26,7 +26,6 @@ from urllib2 import urlparse from text import _ from ipapython.ipa_log_manager import * from ipalib import api, errors -from ipalib import Command from ipaplatform.paths import paths from ipalib.krb_utils import * from ipapython.cookie import Cookie @@ -1278,32 +1277,4 @@ def release_ipa_ccache(ccache_name): else: raise ValueError('ccache scheme %s unsupported (%s)', scheme, ccache_name) - -#--- - -from ipalib.request import context - -class session_logout(Command): -''' -RPC command used to log the current user out of their session. -''' - -def execute(self, *args, **options): -session_data = getattr(context, 'session_data', None) -if session_data is None: -self.debug('session logout command: no session_data found') -else: -session_id = session_data.get('session_id') -self.debug('session logout command: session_id=%s', session_id) - -# Notifiy registered listeners -session_mgr.auth_mgr.logout(session_data) - -return dict(result=None) - -api.register(session_logout) - -#--- - - session_mgr = MemcacheSessionManager() -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Meaning of two strings in plugins/service.py
On 07/08/2015 09:31 AM, David Kupka wrote: On 05/07/15 11:25, Jérôme Fenal wrote: Hi, I stumbled upon those two following strings while translating into French, and just cannot figure out the meaning. Str('ipaallowedtoperform_read_keys', label=_('Failed allowed to retrieve keytab'), ), Str('ipaallowedtoperform_write_keys', label=_('Failed allowed to create keytab'), ), Would it be that failure is allowed while retrieving or creating keytab? Or...? Thanks for helping, Jérôme Hi Jérôme, I guess it should be Failed to allow retrieval/creation of keytab. But Petr (added) is author of this code and should know better. It's used in a following way (user abc does not exist): ipa host-allow-create-keytab vm-121.example.com --users=abc Host name: vm-121.example.com.com Principal name: host/vm-121.example@example.com Managed by: vm-121.example.com.com Failed allowed to create keytab: member user: abc: no such entry member group: member host: member host group: - Number of members added 0 - I.e., host groups, hosts, user groups, users who were not added as the ones who are allowed to to retrieve/create keytab. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 893 move session_logout command to ipalib/plugins directory
On 07/08/2015 10:37 AM, Petr Vobornik wrote: API refactoring caused that session_logout command was not registered. Commands in ipalib/plugins directory are automatically registered. Added NO_CLI = True to hide the command in CLI. -- Petr Vobornik From 6cc9e7f3ff601735887ef566ea02e04a676041ef Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 8 Jul 2015 10:32:54 +0200 Subject: [PATCH] move session_logout command to ipalib/plugins directory API refactoring caused that session_logout command was not registered. Commands in ipalib/plugins directory are automatically registered. --- ipalib/plugins/session.py | 31 +++ ipalib/session.py | 29 - 2 files changed, 31 insertions(+), 29 deletions(-) create mode 100644 ipalib/plugins/session.py diff --git a/ipalib/plugins/session.py b/ipalib/plugins/session.py new file mode 100644 index ..3fd566d3224a13b5fbaa4450f02855329a13bc4c --- /dev/null +++ b/ipalib/plugins/session.py @@ -0,0 +1,31 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +from ipalib import Command +from ipalib.request import context +from ipalib.session import session_mgr +from ipalib.plugable import Registry + +register = Registry() + + +@register() +class session_logout(Command): +''' +RPC command used to log the current user out of their session. +''' +NO_CLI = True + +def execute(self, *args, **options): +session_data = getattr(context, 'session_data', None) +if session_data is None: +self.debug('session logout command: no session_data found') +else: +session_id = session_data.get('session_id') +self.debug('session logout command: session_id=%s', session_id) + +# Notifiy registered listeners +session_mgr.auth_mgr.logout(session_data) + +return dict(result=None) diff --git a/ipalib/session.py b/ipalib/session.py index 2f732b75c837b931c6b16ccfc535e11d7e4c..ec6c2081c65678dc1e75ab957564ace906b68252 100644 --- a/ipalib/session.py +++ b/ipalib/session.py @@ -26,7 +26,6 @@ from urllib2 import urlparse from text import _ from ipapython.ipa_log_manager import * from ipalib import api, errors -from ipalib import Command from ipaplatform.paths import paths from ipalib.krb_utils import * from ipapython.cookie import Cookie @@ -1278,32 +1277,4 @@ def release_ipa_ccache(ccache_name): else: raise ValueError('ccache scheme %s unsupported (%s)', scheme, ccache_name) - -#--- - -from ipalib.request import context - -class session_logout(Command): -''' -RPC command used to log the current user out of their session. -''' - -def execute(self, *args, **options): -session_data = getattr(context, 'session_data', None) -if session_data is None: -self.debug('session logout command: no session_data found') -else: -session_id = session_data.get('session_id') -self.debug('session logout command: session_id=%s', session_id) - -# Notifiy registered listeners -session_mgr.auth_mgr.logout(session_data) - -return dict(result=None) - -api.register(session_logout) - -#--- - - session_mgr = MemcacheSessionManager() -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 463] spec file: Update minimal versions of required packages
On 07/08/2015 01:28 PM, Alexander Bokovoy wrote: On Wed, 08 Jul 2015, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/5103. ACK. Pushed to master: 7c0e7f7e3ca3a971d4db64f80f02d4f79e5f5c4d -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0277] Upgrade: Do not show upgrade failed message during RPM transaction when IPA is not installed
Dne 8.7.2015 v 14:43 Martin Basti napsal(a): On 08/07/15 14:35, Jan Cholasta wrote: Hi, Dne 8.7.2015 v 12:58 Martin Basti napsal(a): Patch attached. Use self.log instead of root_logger. Otherwise ACK. Honza Updated patch attached. Pushed to master: 07d314070ae647254eb47708d7543c4d995fd885 -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 894-896 webui: certificate profiles and acls
On 07/08/2015 02:24 PM, Petr Vobornik wrote: add Web UI for new certificate objects [PATCH] 894 webui: certificate profiles [PATCH] 895 webui: caacl [PATCH] 896 webui: hide facet tab in certificate details facet Fixed bug (adding profiles to caacl) in patch 895. -- Petr Vobornik From 5e92e0557d8add1eb4d74fea4c4526e50e1685a1 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 8 Jul 2015 12:11:02 +0200 Subject: [PATCH] webui: caacl --- install/ui/doc/categories.json | 1 + install/ui/src/freeipa/app.js | 1 + install/ui/src/freeipa/certificate.js | 3 +- install/ui/src/freeipa/navigation/menu_spec.js | 5 + install/ui/src/freeipa/plugins/caacl.js| 379 + install/ui/test/data/ipa_init.json | 13 + ipalib/plugins/internal.py | 13 + 7 files changed, 414 insertions(+), 1 deletion(-) create mode 100644 install/ui/src/freeipa/plugins/caacl.js diff --git a/install/ui/doc/categories.json b/install/ui/doc/categories.json index 34ca7e839e2dfa354bbdeb37fdc30315a2a4f104..70b5666c062d9c5f8739e13ac3e82a74ab5249de 100644 --- a/install/ui/doc/categories.json +++ b/install/ui/doc/categories.json @@ -256,6 +256,7 @@ topology, user, plugins.api_browser, +plugins.caacl, plugins.certprofile, plugins.load, plugins.login, diff --git a/install/ui/src/freeipa/app.js b/install/ui/src/freeipa/app.js index 6efb6b0c04a2339c84a18c77d80a4a7486382b08..1057120c02c000e5c21ad62c1517ccb59115f0cc 100644 --- a/install/ui/src/freeipa/app.js +++ b/install/ui/src/freeipa/app.js @@ -29,6 +29,7 @@ define([ './aci', './automember', './automount', +'./plugins/caacl', './plugins/certprofile', './dns', './group', diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js index b2d740dcb74fc9b185a768d3675aea9527210040..146c71ef54704c2a813816bde39fc8eb2e96e75f 100755 --- a/install/ui/src/freeipa/certificate.js +++ b/install/ui/src/freeipa/certificate.js @@ -1024,7 +1024,8 @@ exp.facet_group = { label: '@i18n:tabs.cert', facets: { certificates: 'cert_search', -profiles: 'certprofile_search' +profiles: 'certprofile_search', +acls: 'caacl_search' } }; diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js index 713f205de1a06db255b559fbd2b6a7c7c340e18d..32bbd6aaab9e47854e74d26b7f23b89d8bfe7410 100644 --- a/install/ui/src/freeipa/navigation/menu_spec.js +++ b/install/ui/src/freeipa/navigation/menu_spec.js @@ -137,6 +137,11 @@ var nav = {}; entity: 'cert', facet: 'search', hidden: true +}, +{ +entity: 'caacl', +facet: 'search', +hidden: true } ] }, diff --git a/install/ui/src/freeipa/plugins/caacl.js b/install/ui/src/freeipa/plugins/caacl.js new file mode 100644 index ..57343d1e45c2562e1492564c3394472ca9a0c06f --- /dev/null +++ b/install/ui/src/freeipa/plugins/caacl.js @@ -0,0 +1,379 @@ +// +// Copyright (C) 2015 FreeIPA Contributors see COPYING for license +// + +define([ +'../ipa', +'../jquery', +'../phases', +'../reg', +'../certificate', +'../rule' +], +function(IPA, $, phases, reg, cert) { +/** + * caacl module + * @class plugins.caacl + * @singleton + */ +var caacl = IPA.caacl = { +remove_method_priority: IPA.config.default_priority - 1 +}; + +var make_caacl_spec = function() { +var spec = { +name: 'caacl', +facets: [ +{ +$type: 'search', +disable_facet_tabs: false, +tabs_in_sidebar: true, +tab_label: '@mo:caacl.label', +facet_groups: [cert.facet_group], +facet_group: 'certificates', +row_enabled_attribute: 'ipaenabledflag', +columns: [ +'cn', +{ +name: 'ipaenabledflag', +label: '@i18n:status.label', +formatter: 'boolean_status' +}, +'description' +], +actions: [ +'batch_disable', +'batch_enable' +], +control_buttons: [ +{ +name: 'disable', +label: '@i18n:buttons.disable', +icon: 'fa-minus' +}, +{ +name: 'enable', +label: '@i18n:buttons.enable', +icon: 'fa-check' +
Re: [Freeipa-devel] [PATCH 0050] Fix client ca.crt to match the server's cert
Thanks, Martin. Update patch attached. I was getting an 'No newline at the end of file' in my environment hence an extra '\n' at the end. Please let me know if you see the same thing. Thanks, Gabe On Wed, Jul 1, 2015 at 2:54 AM, Martin Basti mba...@redhat.com wrote: On 01/07/15 09:05, Martin Basti wrote: On 30/06/15 17:31, Gabe Alford wrote: On Tue, Jun 30, 2015 at 8:51 AM, Martin Basti mba...@redhat.com wrote: On 16/06/15 16:58, Gabe Alford wrote: I know you guys are busy. Bump for review. Thanks, Gabe On Tue, May 26, 2015 at 8:16 AM, Gabe Alford redhatri...@gmail.com redhatri...@gmail.com wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/3809 Thanks, Gabe I'm getting certificate on server without extra '\n' at the end. So certificate files are not the same. I assume you did a diff of the server /etc/ipa/ca.crt and the client /etc/ipa/ca.crt, right? Did you setup a server and then connect a client (just wonder what your steps were so that I can also reproduce)? Yes. I did that. I will retest it today. Retested and ca.cert on client has extra '\n' at the end. -- Martin Basti -- Martin Basti -- Martin Basti From b63860a9dd8db042f07796ea9fefc13b619b1b8b Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Wed, 8 Jul 2015 08:02:10 -0600 Subject: [PATCH] Fix client ca.crt to match the server's cert https://fedorahosted.org/freeipa/ticket/3809 --- ipalib/x509.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index edd73ebdc3b3732d326cd8f414bc957f1e4deb87..092d451c66801ff9311e5af4146678dd949d15cc 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -264,7 +264,7 @@ def make_pem(data): Convert a raw base64-encoded blob into something that looks like a PE file with lines split to 64 characters and proper headers. -pemcert = '\n'.join([data[x:x+64] for x in range(0, len(data), 64)]) +pemcert = '\r\n'.join([data[x:x+64] for x in range(0, len(data), 64)]) return '-BEGIN CERTIFICATE-\n' + \ pemcert + \ '\n-END CERTIFICATE-' -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0026..0027 #5096 enforce caacl for SAN principals
On 03/07/15 16:26, Fraser Tweedale wrote: The attached patches fix: - a bug that caused caacl false negatives for hosts principals - #5096 cert-request: enforce caacl for subjectAltName principals Thanks, Fraser Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0335-0336] adtrustinstance: Enable and start oddjobd
On Wed, 08 Jul 2015, Tomas Babej wrote: From 66d39f12a77d23e8d8ac2c11650258ed9f3eb200 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 8 Jul 2015 15:44:13 +0200 Subject: [PATCH] adtrustinstance: Enable and start oddjobd Enable and start the oddjobd service as part of the ipa-adtrust-install for the new IPA installations. ACK --- ipaserver/install/adtrustinstance.py | 19 +++ ipaserver/install/installutils.py| 11 +++ 2 files changed, 30 insertions(+) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 8343f81826b661e0ab5a34073b0df9b477589ffa..ff0e8cc3e6dd7a78bd5a6ab06918757ca343970c 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -706,6 +706,9 @@ class ADTRUSTInstance(service.Service): except Exception, e: root_logger.critical(Enabling nsswitch support in slapi-nis failed with error '%s' % e) +def __enable_and_start_oddjobd(self): +installutils.enable_and_start_oddjobd(self.sstore) + def __start(self): try: self.start() @@ -852,6 +855,7 @@ class ADTRUSTInstance(service.Service): self.step(adding Default Trust View, self.__add_default_trust_view) self.step(setting SELinux booleans, \ self.__configure_selinux_for_smbd) +self.step(enabling oddjobd, self.__enable_and_start_oddjobd) self.step(starting CIFS services, self.__start) if self.add_sids: @@ -880,6 +884,21 @@ class ADTRUSTInstance(service.Service): except Exception: pass +# Restore oddjobd to its original state +oddjobd = services.service('oddjobd') + +if not self.sstore.restore_state('oddjobd', 'running'): +try: +oddjobd.stop() +except Exception: +pass + +if not self.sstore.restore_state('oddjobd', 'enabled'): +try: +oddjobd.disable() +except Exception: +pass + # Since we do not guarantee restoring back to working samba state, # we should not restore smb.conf diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 08620c472b9478511d7d08a0d174e7da3f732207..02e8526317dbab909ed48a1823000922ce6e6b7a 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -1081,3 +1081,14 @@ def check_version(): def realm_to_serverid(realm_name): return -.join(realm_name.split(.)) + +def enable_and_start_oddjobd(sstore): +oddjobd = services.service('oddjobd') +sstore.backup_state('oddjobd', 'running', oddjobd.is_running()) +sstore.backup_state('oddjobd', 'enabled', oddjobd.is_enabled()) + +try: +oddjobd.enable() +oddjobd.start() +except Exception as e: +root_logger.critical(Unable to start oddjobd: {0}.format(str(e))) -- 2.1.0 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] How to support Designate?
On 07/08/2015 04:31 AM, Petr Spacek wrote: On 1.7.2015 17:12, Rich Megginson wrote: On 07/01/2015 09:10 AM, Petr Spacek wrote: On 1.7.2015 16:43, Rich Megginson wrote: How much work would it be to support IPA as an AXFR/IXFR client or server with Designate? Right now, their miniDNS component only supports being a master and sending updates via AXFR, but they have IXFR support planned. I need to read more about it. Could you please point me to some comprehensive docs about Designate? Thanks! http://docs.openstack.org/developer/designate/architecture.html Designate in setups with mini-DNS acts as DNS master server, i.e. the only source of DNS data/truth. Currently FreeIPA can act only as master, too, which is not possible. By master do you mean unable to accept AXFR/IXFR from another server? I can see several alternatives: A) Add support for slave zones to FreeIPA. It should be relatively easy and I guess doable in Fedora 23 time frame if it gets appropriate priority. For plain/insecure DNS zones it will allow us to use FreeIPA in place of any other DNS server but the added value will be negligible because FreeIPA acting as a slave cannot change the data. The real added value could be the ability of FreeIPA to DNSSEC-sign zones and do the DNSSEC key management. I believe that we should be able to re-use machinery we implemented for master zones in FreeIPA so DNSSEC signing for slave zones should be almost 'for free'. When implemented, FreeIPA could become the easiest way how to secure DNS in Designate with DNSSEC technology even in cases where all the data are managed by Designate API. This sounds interesting. This seems like it would fit in with the typical OpenStack use case - create a new host, assign it a hostname in a sub-zone. B) We can avoid implementing slave zones by using 'agent': http://docs.openstack.org/developer/designate/glossary.html If I'm not mistaken, this is what you implemented last year. I implemented support in Designate for a FreeIPA backend which used the JSON HTTPS API to send updates from Designate to FreeIPA. Designate has deprecated support for backends. The agent approach is basically putting a mini-DNS-like daemon on each system which can accept AXFR from Designate. This agent would then use the backend code I developed to send the data to FreeIPA. C) We can say that combining FreeIPA DNS and Designate does not make sense and drop what you did last year. It was already dropped when the backend approach was deprecated. In current architecture it really does not add any value *unless* we add DNSSEC to the mix. D) Integrate IPA installers with Designate API. This is somehow complementary to variants A (and C) and would allow us to automatically add DNS records required by FreeIPA to Designate during FreeIPA installation and replica management. I wrote a script (ipaextractor.py) that will extract DNS data from FreeIPA and store it in Designate. That would be a good place to start. In my opinion variants A+D are the best way to move forward. What do you think? If we could change Designate in some way to work better with FreeIPA, what would you propose? -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0026..0027 #5096 enforce caacl for SAN principals
On 07/08/2015 04:30 PM, David Kupka wrote: On 03/07/15 16:26, Fraser Tweedale wrote: The attached patches fix: - a bug that caused caacl false negatives for hosts principals - #5096 cert-request: enforce caacl for subjectAltName principals Thanks, Fraser Works for me, ACK. Pushed to master: ec7e5e0cac4d93f4a0bb62c1de28be46f362740b -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 894-896 webui: certificate profiles and acls
On 08/07/15 15:11, Petr Vobornik wrote: On 07/08/2015 02:24 PM, Petr Vobornik wrote: add Web UI for new certificate objects [PATCH] 894 webui: certificate profiles [PATCH] 895 webui: caacl [PATCH] 896 webui: hide facet tab in certificate details facet Fixed bug (adding profiles to caacl) in patch 895. ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0278] Fix API logging
On 07/08/2015 02:18 PM, Martin Basti wrote: log must be initilized before first usage in API, otherwise traceback is shown: # ipa -e random-nonexistent-key=1 user-find Traceback (most recent call last): File /bin/ipa, line 32, in module cli.run(api) File /usr/lib/python2.7/site-packages/ipalib/cli.py, line 1346, in run api.log.exception('%s: %s', e.__class__.__name__, str(e)) AttributeError: 'API' object has no attribute 'log' Patch attached. ACK. Pushed to master: e51bb1bc668bf3008c8cca1dcbb0ebda7fa5c703 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0335-0336] adtrustinstance: Enable and start oddjobd
On 07/08/2015 05:12 PM, Alexander Bokovoy wrote: On Wed, 08 Jul 2015, Tomas Babej wrote: From 66d39f12a77d23e8d8ac2c11650258ed9f3eb200 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 8 Jul 2015 15:44:13 +0200 Subject: [PATCH] adtrustinstance: Enable and start oddjobd Enable and start the oddjobd service as part of the ipa-adtrust-install for the new IPA installations. ACK Pushed to master: 9c5df3cf76c921d268e7892ef9d9e7a7d2ad89f9 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0335-0336] adtrustinstance: Enable and start oddjobd
On Wed, 08 Jul 2015, Tomas Babej wrote: From c6135d634cbccbdbb30ab3906c32cd3720bca95e Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 8 Jul 2015 15:45:18 +0200 Subject: [PATCH] upgrade: Enable and start oddjobd if adtrust is available If ipa-adtrust-install has already been run on the system, enable and start the oddjobd service. ACK as well. --- install/updates/90-post_upgrade_plugins.update | 1 + ipaserver/install/plugins/adtrust.py | 24 2 files changed, 25 insertions(+) diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index 8e8fe09414eac57d2e8c15dcfc4aed64b6e35cd5..3df3a4574705dbd8df8f25149c13877898afb66b 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -18,3 +18,4 @@ plugin: update_managed_post plugin: update_managed_permissions plugin: update_idrange_baserid plugin: update_passync_privilege_update +plugin: update_oddjobd_for_adtrust diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py index d96bfe83e3b9d1d3e64b9fde385fbf520ed20a3a..45bcc5f2fe532446342300ff0c5e1e7149cf023b 100644 --- a/ipaserver/install/plugins/adtrust.py +++ b/ipaserver/install/plugins/adtrust.py @@ -19,8 +19,11 @@ from ipalib import api, errors from ipalib import Updater +from ipaplatform.paths import paths from ipapython.dn import DN from ipapython.ipa_log_manager import * +from ipapython import sysrestore +from ipaserver.install import installutils DEFAULT_ID_RANGE_SIZE = 20 @@ -161,5 +164,26 @@ class update_default_trust_view(Updater): return False, [update] + +class update_oddjobd_for_adtrust(Updater): + +Enables and starts oddjobd daemon if ipa-adtrust-install has been run +on this system. + + +def execute(self, **options): +adtrust_is_enabled = self.api.Command['adtrust_is_enabled']()['result'] + +if adtrust_is_enabled: +self.log.debug('Try to enable and start oddjobd') +sstore = sysrestore.StateFile(paths.SYSRESTORE) +installutils.enable_and_start_oddjobd(sstore) +else: +self.log.debug('ADTrust not configured on this server, do not ' + 'start and enable oddjobd') + +return False, [] + api.register(update_default_range) api.register(update_default_trust_view) +api.register(update_oddjobd_for_adtrust) -- 2.1.0 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCHES 0335-0336] adtrustinstance: Enable and start oddjobd
Hi, Enable and start the oddjobd service as part of the ipa-adtrust-install for the new IPA installations and upgraded ones. Tomas From 66d39f12a77d23e8d8ac2c11650258ed9f3eb200 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 8 Jul 2015 15:44:13 +0200 Subject: [PATCH] adtrustinstance: Enable and start oddjobd Enable and start the oddjobd service as part of the ipa-adtrust-install for the new IPA installations. --- ipaserver/install/adtrustinstance.py | 19 +++ ipaserver/install/installutils.py| 11 +++ 2 files changed, 30 insertions(+) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 8343f81826b661e0ab5a34073b0df9b477589ffa..ff0e8cc3e6dd7a78bd5a6ab06918757ca343970c 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -706,6 +706,9 @@ class ADTRUSTInstance(service.Service): except Exception, e: root_logger.critical(Enabling nsswitch support in slapi-nis failed with error '%s' % e) +def __enable_and_start_oddjobd(self): +installutils.enable_and_start_oddjobd(self.sstore) + def __start(self): try: self.start() @@ -852,6 +855,7 @@ class ADTRUSTInstance(service.Service): self.step(adding Default Trust View, self.__add_default_trust_view) self.step(setting SELinux booleans, \ self.__configure_selinux_for_smbd) +self.step(enabling oddjobd, self.__enable_and_start_oddjobd) self.step(starting CIFS services, self.__start) if self.add_sids: @@ -880,6 +884,21 @@ class ADTRUSTInstance(service.Service): except Exception: pass +# Restore oddjobd to its original state +oddjobd = services.service('oddjobd') + +if not self.sstore.restore_state('oddjobd', 'running'): +try: +oddjobd.stop() +except Exception: +pass + +if not self.sstore.restore_state('oddjobd', 'enabled'): +try: +oddjobd.disable() +except Exception: +pass + # Since we do not guarantee restoring back to working samba state, # we should not restore smb.conf diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 08620c472b9478511d7d08a0d174e7da3f732207..02e8526317dbab909ed48a1823000922ce6e6b7a 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -1081,3 +1081,14 @@ def check_version(): def realm_to_serverid(realm_name): return -.join(realm_name.split(.)) + +def enable_and_start_oddjobd(sstore): +oddjobd = services.service('oddjobd') +sstore.backup_state('oddjobd', 'running', oddjobd.is_running()) +sstore.backup_state('oddjobd', 'enabled', oddjobd.is_enabled()) + +try: +oddjobd.enable() +oddjobd.start() +except Exception as e: +root_logger.critical(Unable to start oddjobd: {0}.format(str(e))) -- 2.1.0 From c6135d634cbccbdbb30ab3906c32cd3720bca95e Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 8 Jul 2015 15:45:18 +0200 Subject: [PATCH] upgrade: Enable and start oddjobd if adtrust is available If ipa-adtrust-install has already been run on the system, enable and start the oddjobd service. --- install/updates/90-post_upgrade_plugins.update | 1 + ipaserver/install/plugins/adtrust.py | 24 2 files changed, 25 insertions(+) diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index 8e8fe09414eac57d2e8c15dcfc4aed64b6e35cd5..3df3a4574705dbd8df8f25149c13877898afb66b 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -18,3 +18,4 @@ plugin: update_managed_post plugin: update_managed_permissions plugin: update_idrange_baserid plugin: update_passync_privilege_update +plugin: update_oddjobd_for_adtrust diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py index d96bfe83e3b9d1d3e64b9fde385fbf520ed20a3a..45bcc5f2fe532446342300ff0c5e1e7149cf023b 100644 --- a/ipaserver/install/plugins/adtrust.py +++ b/ipaserver/install/plugins/adtrust.py @@ -19,8 +19,11 @@ from ipalib import api, errors from ipalib import Updater +from ipaplatform.paths import paths from ipapython.dn import DN from ipapython.ipa_log_manager import * +from ipapython import sysrestore +from ipaserver.install import installutils DEFAULT_ID_RANGE_SIZE = 20 @@ -161,5 +164,26 @@ class update_default_trust_view(Updater): return False, [update] + +class update_oddjobd_for_adtrust(Updater): + +Enables and starts oddjobd daemon if ipa-adtrust-install has been run +on this system. + + +def execute(self, **options): +adtrust_is_enabled =
Re: [Freeipa-devel] [PATCH] 894-896 webui: certificate profiles and acls
On 07/08/2015 04:54 PM, Martin Basti wrote: On 08/07/15 15:11, Petr Vobornik wrote: On 07/08/2015 02:24 PM, Petr Vobornik wrote: add Web UI for new certificate objects [PATCH] 894 webui: certificate profiles [PATCH] 895 webui: caacl [PATCH] 896 webui: hide facet tab in certificate details facet Fixed bug (adding profiles to caacl) in patch 895. ACK -- Martin Basti Pushed to master: f13cce2d9c7d0b31b366fd7b5af518fbccb10ee8 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 893 move session_logout command to ipalib/plugins directory
On 07/08/2015 02:33 PM, Martin Basti wrote: On 08/07/15 13:46, Petr Vobornik wrote: On 07/08/2015 01:20 PM, Martin Basti wrote: On 08/07/15 12:51, Martin Basti wrote: On 08/07/15 12:20, Petr Vobornik wrote: On 07/08/2015 10:37 AM, Petr Vobornik wrote: API refactoring caused that session_logout command was not registered. Commands in ipalib/plugins directory are automatically registered. ercategory User category the ACL applies to Added NO_CLI = True to hide the command in CLI. Works for me. -- Martin Basti NACK, It works but you should update API.txt Command session_logout in ipalib, not in API There are one or more new commands defined. Update API.txt and increment the minor version in VERSION. updated patch attached. ACK Pushed to master: cd3ca94ff2ef738cb3a9eae502193413058f976d -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] How to support Designate?
On 8.7.2015 17:10, Rich Megginson wrote: On 07/08/2015 04:31 AM, Petr Spacek wrote: On 1.7.2015 17:12, Rich Megginson wrote: On 07/01/2015 09:10 AM, Petr Spacek wrote: On 1.7.2015 16:43, Rich Megginson wrote: How much work would it be to support IPA as an AXFR/IXFR client or server with Designate? Right now, their miniDNS component only supports being a master and sending updates via AXFR, but they have IXFR support planned. I need to read more about it. Could you please point me to some comprehensive docs about Designate? Thanks! http://docs.openstack.org/developer/designate/architecture.html Designate in setups with mini-DNS acts as DNS master server, i.e. the only source of DNS data/truth. Currently FreeIPA can act only as master, too, which is not possible. By master do you mean unable to accept AXFR/IXFR from another server? Sort of. DNS is conceptually built around concept of single authoritative database hosted on Primary Master server. The database is then transferred using AXFR to Slave servers, which are read-only (and can forward update requests to the Primary Master). See http://tools.ietf.org/html/rfc2136#section-1 The Primary Master server is the place where changes are made. There is by definition only one primary master server per zone, so FreeIPA and Designare cannot be Primary Masters at the same time. We need to decide who is going to have control over the data. I can see several alternatives: A) Add support for slave zones to FreeIPA. It should be relatively easy and I guess doable in Fedora 23 time frame if it gets appropriate priority. For plain/insecure DNS zones it will allow us to use FreeIPA in place of any other DNS server but the added value will be negligible because FreeIPA acting as a slave cannot change the data. The real added value could be the ability of FreeIPA to DNSSEC-sign zones and do the DNSSEC key management. I believe that we should be able to re-use machinery we implemented for master zones in FreeIPA so DNSSEC signing for slave zones should be almost 'for free'. When implemented, FreeIPA could become the easiest way how to secure DNS in Designate with DNSSEC technology even in cases where all the data are managed by Designate API. This sounds interesting. This seems like it would fit in with the typical OpenStack use case - create a new host, assign it a hostname in a sub-zone. To be sure we understood each other: In the scenarios where FreeIPA acts as Slave server, the change is done in Designate and then a new version of the DNS zone is transferred to FreeIPA. After that FreeIPA can DNSSEC-sign the zone and serve the signed version to the clients. B) We can avoid implementing slave zones by using 'agent': http://docs.openstack.org/developer/designate/glossary.html If I'm not mistaken, this is what you implemented last year. I implemented support in Designate for a FreeIPA backend which used the JSON HTTPS API to send updates from Designate to FreeIPA. Designate has deprecated support for backends. The agent approach is basically putting a mini-DNS-like daemon on each system which can accept AXFR from Designate. This agent would then use the backend code I developed to send the data to FreeIPA. Wow, that is a lot of complexity. I suspect that something like this is already implemented in dnssyncd written by Martin Basti: https://github.com/bastiak/dnssyncd Anyway, I do not see any value in doing so in this particular scenario. Designate would be the authoritative source of data (Primary Master) so from functional point of view it would be the same (or worse) than variant (A), just with more code and more error prone. C) We can say that combining FreeIPA DNS and Designate does not make sense and drop what you did last year. It was already dropped when the backend approach was deprecated. In current architecture it really does not add any value *unless* we add DNSSEC to the mix. D) Integrate IPA installers with Designate API. This is somehow complementary to variants A (and C) and would allow us to automatically add DNS records required by FreeIPA to Designate during FreeIPA installation and replica management. I wrote a script (ipaextractor.py) that will extract DNS data from FreeIPA and store it in Designate. That would be a good place to start. Generally FreeIPA should integrate with other DNS server implementations in a way similar to this: https://fedorahosted.org/freeipa/ticket/4424 http://www.freeipa.org/page/V4/External_DNS_integration_with_installer Hopefully 4.3 timeframe will allow us to work on that. In my opinion variants A+D are the best way to move forward. What do you think? If we could change Designate in some way to work better with FreeIPA, what would you propose? How much can we change? :-D I liked the original architecture where Designate just 'proxied' change requests to DNS implementations/backends. Assuming that Designate
Re: [Freeipa-devel] How to support Designate?
On 07/08/2015 11:56 AM, Rich Megginson wrote: On 07/08/2015 10:11 AM, Petr Spacek wrote: On 8.7.2015 17:10, Rich Megginson wrote: On 07/08/2015 04:31 AM, Petr Spacek wrote: On 1.7.2015 17:12, Rich Megginson wrote: On 07/01/2015 09:10 AM, Petr Spacek wrote: On 1.7.2015 16:43, Rich Megginson wrote: How much work would it be to support IPA as an AXFR/IXFR client or server with Designate? Right now, their miniDNS component only supports being a master and sending updates via AXFR, but they have IXFR support planned. I need to read more about it. Could you please point me to some comprehensive docs about Designate? Thanks! http://docs.openstack.org/developer/designate/architecture.html Designate in setups with mini-DNS acts as DNS master server, i.e. the only source of DNS data/truth. Currently FreeIPA can act only as master, too, which is not possible. By master do you mean unable to accept AXFR/IXFR from another server? Sort of. DNS is conceptually built around concept of single authoritative database hosted on Primary Master server. The database is then transferred using AXFR to Slave servers, which are read-only (and can forward update requests to the Primary Master). See http://tools.ietf.org/html/rfc2136#section-1 The Primary Master server is the place where changes are made. There is by definition only one primary master server per zone, so FreeIPA and Designare cannot be Primary Masters at the same time. We need to decide who is going to have control over the data. I can see several alternatives: A) Add support for slave zones to FreeIPA. It should be relatively easy and I guess doable in Fedora 23 time frame if it gets appropriate priority. For plain/insecure DNS zones it will allow us to use FreeIPA in place of any other DNS server but the added value will be negligible because FreeIPA acting as a slave cannot change the data. The real added value could be the ability of FreeIPA to DNSSEC-sign zones and do the DNSSEC key management. I believe that we should be able to re-use machinery we implemented for master zones in FreeIPA so DNSSEC signing for slave zones should be almost 'for free'. When implemented, FreeIPA could become the easiest way how to secure DNS in Designate with DNSSEC technology even in cases where all the data are managed by Designate API. This sounds interesting. This seems like it would fit in with the typical OpenStack use case - create a new host, assign it a hostname in a sub-zone. To be sure we understood each other: In the scenarios where FreeIPA acts as Slave server, the change is done in Designate and then a new version of the DNS zone is transferred to FreeIPA. After that FreeIPA can DNSSEC-sign the zone and serve the signed version to the clients. B) We can avoid implementing slave zones by using 'agent': http://docs.openstack.org/developer/designate/glossary.html If I'm not mistaken, this is what you implemented last year. I implemented support in Designate for a FreeIPA backend which used the JSON HTTPS API to send updates from Designate to FreeIPA. Designate has deprecated support for backends. The agent approach is basically putting a mini-DNS-like daemon on each system which can accept AXFR from Designate. This agent would then use the backend code I developed to send the data to FreeIPA. Wow, that is a lot of complexity. I suspect that something like this is already implemented in dnssyncd written by Martin Basti: https://github.com/bastiak/dnssyncd How does this work? Does it receive zone transfer (AXFR? IXFR?) from a DNS master, then update LDAP with those records? Anyway, I do not see any value in doing so in this particular scenario. Designate would be the authoritative source of data (Primary Master) so from functional point of view it would be the same (or worse) than variant (A), just with more code and more error prone. C) We can say that combining FreeIPA DNS and Designate does not make sense and drop what you did last year. It was already dropped when the backend approach was deprecated. In current architecture it really does not add any value *unless* we add DNSSEC to the mix. D) Integrate IPA installers with Designate API. This is somehow complementary to variants A (and C) and would allow us to automatically add DNS records required by FreeIPA to Designate during FreeIPA installation and replica management. I wrote a script (ipaextractor.py) that will extract DNS data from FreeIPA and store it in Designate. That would be a good place to start. Generally FreeIPA should integrate with other DNS server implementations in a way similar to this: https://fedorahosted.org/freeipa/ticket/4424 http://www.freeipa.org/page/V4/External_DNS_integration_with_installer Hopefully 4.3 timeframe will allow us to work on that. In my opinion variants A+D are the best way to move forward. What do you think? If we could change Designate in some way to work better with
Re: [Freeipa-devel] How to support Designate?
On 07/08/2015 10:11 AM, Petr Spacek wrote: On 8.7.2015 17:10, Rich Megginson wrote: On 07/08/2015 04:31 AM, Petr Spacek wrote: On 1.7.2015 17:12, Rich Megginson wrote: On 07/01/2015 09:10 AM, Petr Spacek wrote: On 1.7.2015 16:43, Rich Megginson wrote: How much work would it be to support IPA as an AXFR/IXFR client or server with Designate? Right now, their miniDNS component only supports being a master and sending updates via AXFR, but they have IXFR support planned. I need to read more about it. Could you please point me to some comprehensive docs about Designate? Thanks! http://docs.openstack.org/developer/designate/architecture.html Designate in setups with mini-DNS acts as DNS master server, i.e. the only source of DNS data/truth. Currently FreeIPA can act only as master, too, which is not possible. By master do you mean unable to accept AXFR/IXFR from another server? Sort of. DNS is conceptually built around concept of single authoritative database hosted on Primary Master server. The database is then transferred using AXFR to Slave servers, which are read-only (and can forward update requests to the Primary Master). See http://tools.ietf.org/html/rfc2136#section-1 The Primary Master server is the place where changes are made. There is by definition only one primary master server per zone, so FreeIPA and Designare cannot be Primary Masters at the same time. We need to decide who is going to have control over the data. I can see several alternatives: A) Add support for slave zones to FreeIPA. It should be relatively easy and I guess doable in Fedora 23 time frame if it gets appropriate priority. For plain/insecure DNS zones it will allow us to use FreeIPA in place of any other DNS server but the added value will be negligible because FreeIPA acting as a slave cannot change the data. The real added value could be the ability of FreeIPA to DNSSEC-sign zones and do the DNSSEC key management. I believe that we should be able to re-use machinery we implemented for master zones in FreeIPA so DNSSEC signing for slave zones should be almost 'for free'. When implemented, FreeIPA could become the easiest way how to secure DNS in Designate with DNSSEC technology even in cases where all the data are managed by Designate API. This sounds interesting. This seems like it would fit in with the typical OpenStack use case - create a new host, assign it a hostname in a sub-zone. To be sure we understood each other: In the scenarios where FreeIPA acts as Slave server, the change is done in Designate and then a new version of the DNS zone is transferred to FreeIPA. After that FreeIPA can DNSSEC-sign the zone and serve the signed version to the clients. B) We can avoid implementing slave zones by using 'agent': http://docs.openstack.org/developer/designate/glossary.html If I'm not mistaken, this is what you implemented last year. I implemented support in Designate for a FreeIPA backend which used the JSON HTTPS API to send updates from Designate to FreeIPA. Designate has deprecated support for backends. The agent approach is basically putting a mini-DNS-like daemon on each system which can accept AXFR from Designate. This agent would then use the backend code I developed to send the data to FreeIPA. Wow, that is a lot of complexity. I suspect that something like this is already implemented in dnssyncd written by Martin Basti: https://github.com/bastiak/dnssyncd Anyway, I do not see any value in doing so in this particular scenario. Designate would be the authoritative source of data (Primary Master) so from functional point of view it would be the same (or worse) than variant (A), just with more code and more error prone. C) We can say that combining FreeIPA DNS and Designate does not make sense and drop what you did last year. It was already dropped when the backend approach was deprecated. In current architecture it really does not add any value *unless* we add DNSSEC to the mix. D) Integrate IPA installers with Designate API. This is somehow complementary to variants A (and C) and would allow us to automatically add DNS records required by FreeIPA to Designate during FreeIPA installation and replica management. I wrote a script (ipaextractor.py) that will extract DNS data from FreeIPA and store it in Designate. That would be a good place to start. Generally FreeIPA should integrate with other DNS server implementations in a way similar to this: https://fedorahosted.org/freeipa/ticket/4424 http://www.freeipa.org/page/V4/External_DNS_integration_with_installer Hopefully 4.3 timeframe will allow us to work on that. In my opinion variants A+D are the best way to move forward. What do you think? If we could change Designate in some way to work better with FreeIPA, what would you propose? How much can we change? :-D I liked the original architecture where Designate just 'proxied' change requests to DNS implementations/backends. Me too, but we didn't/don't have much say in
[Freeipa-devel] Final preparations for FreeIPA 4.2 GA
Hello all, Let us do final check before FreeIPA 4.2 GA! With One-Way patch set and KRA final patch pushed, there is just a little bit of work left. From FreeIPA 4.2 milestone tickets, I see: #4238 [RFE] Provide ability to map CAC identity certificates to users in IdM #5045 Add support for multiple host/service certificates in webUI #5046 Add support for user certificates in WebUI - Waiting on Petr Vobornik's final touch. #5103 Update 4.2 Requires in the spec file - This is a must, not every feature owner updated spec file with the lastest version (like certmonger or sssd for One-Way Trusts). Please double check spec file and provide the right minimal versions to avoid RPM issues. #5095 Be able to request certificates without certmonger service running - WIP by Honza and David. Not a must for GA though, can be postponed to 4.2.1 #5096 cert-request: enforce caacl for subjectAltName principals - Patch on review #4768 [RFE] Add option to skip the verify_client_version and proceed at own risk - Honza found a problem with this patch, working a repair right now. If anyone knows about anything blocking GA, please reply to this thread. I would like to encourage everyone to at least smoke test their and other features, so that we capture any last problem before tagging and release. Finally, I prepared 4.2.0 release notes draft, updates welcome: http://www.freeipa.org/page/Releases/4.2.0 I also updated http://www.freeipa.org/page/Releases/4.2.0.alpha1 with regards to postponed Topology feature. Thanks for help! -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Meaning of two strings in plugins/service.py
On 05/07/15 11:25, Jérôme Fenal wrote: Hi, I stumbled upon those two following strings while translating into French, and just cannot figure out the meaning. Str('ipaallowedtoperform_read_keys', label=_('Failed allowed to retrieve keytab'), ), Str('ipaallowedtoperform_write_keys', label=_('Failed allowed to create keytab'), ), Would it be that failure is allowed while retrieving or creating keytab? Or...? Thanks for helping, Jérôme Hi Jérôme, I guess it should be Failed to allow retrieval/creation of keytab. But Petr (added) is author of this code and should know better. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Password vault
Dne 7.7.2015 v 16:42 Endi Sukma Dewata napsal(a): - Original Message - On 07/07/2015 10:51 AM, Jan Cholasta wrote: Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a): Here is the rebased patch for vault access control. LGTM, except: @@ -356,6 +386,13 @@ class vault(LDAPObject): { 'objectclass': ['nsContainer'], 'cn': rdn['cn'], +'aci': +'(targetfilter=(objectClass=ipaVault))' + +'(version 3.0; ' + +'acl User can manage private vaults; ' + +'allow(read, search, compare, add, delete) ' + +'userdn=ldap:///%s;;)' +% owner_dn }) # if entry can be added, return I don't think dynamically creating ACIs with hardcoded userdn is something we want to do. This should be handled by a single ACI in cn=vaults. +1. Single ACI like +default: aci: (targetfilter=(objectClass=ipaVault))(version 3.0; acl Vault owners can manage the vault; allow(read, search, compare, write) userattr=owner#USERDN;) you already have there is more preferred. New patch attached. For this to work the container itself needs an 'owner' attribute, so I changed the nsContainer into ipaVaultContainer. I don't think that's really necessary on the top-level containers. Anyway, the patch works, so ACK. Pushed to master: bf6df3df9b388753a52a0040d9c15b1eabce41ca -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 898-900 webui: user and multiple certs improvements
== [PATCH] 898 webui: cert-request improvements == Certificate request action and dialog now supports 'profile_id', 'add' and 'principal' options. 'add' and 'principal' are disaplayed only if certificate is added from certificate search facet. Certificate search facet allows to add a certificate. User details facet allows to add a certificate. part of https://fedorahosted.org/freeipa/ticket/5046 == [PATCH] 899 webui: show multiple cert == New certificate widget which replaced certificate status widget. It can display multiple certs. Drawback is that it cannot display if the certificate was revoked. Web UI does not have the information. part of: https://fedorahosted.org/freeipa/ticket/5045 == [PATCH] 900 webui: remove cert manipulation actions from host and service == Remove * cert_view * cert_get * cert_revoke * cert_restore These actions require serial number which is not provided to Web UI if multiple certificates are present. As an alternative to patch 900 we could also provide the original interface if there is only one cert and hide the actions if there are multiple certs. note: {user|host|service}-{add|remove}_cert command support is still missing. -- Petr Vobornik From ddae79eafc144e338bab0504647a9295a928025c Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 9 Jul 2015 00:18:54 +0200 Subject: [PATCH] webui: remove cert manipulation actions from host and service Remove * cert_view * cert_get * cert_revoke * cert_restore These actions require serial number which is not provided to Web UI if multiple certificates are present. --- install/ui/src/freeipa/host.js| 8 ++-- install/ui/src/freeipa/service.js | 12 ++-- 2 files changed, 4 insertions(+), 16 deletions(-) diff --git a/install/ui/src/freeipa/host.js b/install/ui/src/freeipa/host.js index e033279b2c374c00887fc51589c435b833ea0ad7..764e551b40a00d3a35ea4e8ec99de9164bc97be3 100644 --- a/install/ui/src/freeipa/host.js +++ b/install/ui/src/freeipa/host.js @@ -264,14 +264,10 @@ return { enable_cond: ['userpassword_w'], show_cond: ['has_password'] }, -'cert_view', -'cert_get', -'cert_request', -'cert_revoke', -'cert_restore' +'cert_request' ], header_actions: ['automember_rebuild', 'unprovision', 'set_otp', 'reset_otp', -'request_cert', 'view_cert', 'get_cert', 'revoke_cert', 'restore_cert'], +'request_cert'], state: { evaluators: [ IPA.host.has_password_evaluator, diff --git a/install/ui/src/freeipa/service.js b/install/ui/src/freeipa/service.js index 28a01f635288b3fb164853a3c819dc3f4f58e3b7..f1f8d951e415e9768aab433e28da852a732bc8ba 100644 --- a/install/ui/src/freeipa/service.js +++ b/install/ui/src/freeipa/service.js @@ -226,19 +226,11 @@ return { ], actions: [ 'service_unprovision', -'cert_view', -'cert_get', -'cert_request', -'cert_revoke', -'cert_restore' +'cert_request' ], header_actions: [ 'unprovision', -'request_cert', -'view_cert', -'get_cert', -'revoke_cert', -'restore_cert' +'request_cert' ], state: { evaluators: [ -- 2.4.3 From 6aaa77b6f71b07af3264d470255b6d46fce23cdc Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 9 Jul 2015 00:12:00 +0200 Subject: [PATCH] webui: show multiple cert New certificate widget which replaced certificate status widget. It can display multiple certs. Drawback is that it cannot display if the certificate was revoked. Web UI does not have the information. part of: https://fedorahosted.org/freeipa/ticket/5045 --- install/ui/less/widgets.less | 12 + install/ui/src/freeipa/certificate.js | 90 +++ install/ui/src/freeipa/host.js| 5 +- install/ui/src/freeipa/service.js | 5 +- install/ui/src/freeipa/user.js| 4 ++ install/ui/test/data/ipa_init.json| 3 ++ ipalib/plugins/internal.py| 3 ++ 7 files changed, 116 insertions(+), 6 deletions(-) diff --git a/install/ui/less/widgets.less b/install/ui/less/widgets.less index 7778f6bf46b3bbebf99fff4a7799fe4b0b090385..99b22068d7b721d93e7b6901e262ad11781ffae7 100644 --- a/install/ui/less/widgets.less +++ b/install/ui/less/widgets.less @@ -131,5 +131,17 @@ } } +// Certificate Widget + +.certificate-widget { +label { +padding-right: 10px; +} +.certificate { +word-wrap: break-word; +padding-bottom: 10px; +} +} + // workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=409254
[Freeipa-devel] [PATCH] 897 fix error message when certificate CN is invalid
The error message was probably copied from mail address check below. -- Petr Vobornik From a935e707185d751604c24511ae8b65dd61500469 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 8 Jul 2015 22:11:52 +0200 Subject: [PATCH] fix error message when certificate CN is invalid The error message was probably copied from mail address check below. --- ipalib/plugins/cert.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 743fb4d3930f051c4a2098128b09b241a844cb43..341bdd01766d50ba18ce7147d4408851e6f95487 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -412,9 +412,7 @@ class cert_request(VirtualCommand): if cn != principal_name: raise errors.ValidationError( name='csr', -error=_( -DN commonName does not match -any of user's email addresses) +error=_(DN commonName does not match user's login) ) # check email address -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code