[Freeipa-devel] [PATCH 0018] Minor fix in ipa-replica-manage MAN page
Hi All, Please review patch. Fixes: https://fedorahosted.org/freeipa/ticket/6058 -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io From b2a0e1133145dd672b959811711217d2960ce998 Mon Sep 17 00:00:00 2001 From: Abhijeet KasurdeDate: Tue, 12 Jul 2016 17:08:06 +0530 Subject: [PATCH] Minor fix in ipa-replica-manage MAN page Fixes: https://fedorahosted.org/freeipa/ticket/6058 Signed-off-by: Abhijeet Kasurde --- install/tools/man/ipa-replica-manage.1 | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1 index 68be0232fae9309b108e69f9144501be3277f503..34cd314a517ae2f74da7bc87d6336e62d7b57118 100644 --- a/install/tools/man/ipa-replica-manage.1 +++ b/install/tools/man/ipa-replica-manage.1 @@ -16,7 +16,7 @@ .\" .\" Author: Rob Crittenden .\" -.TH "ipa-replica-manage" "1" "Mar 1 2013" "FreeIPA" "FreeIPA Manual Pages" +.TH "ipa-replica-manage" "1" "Jul 12 2016" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-replica\-manage \- Manage an IPA replica .SH "SYNOPSIS" @@ -163,15 +163,15 @@ Performing range changes as a delegated administrator (e.g. not using the Direct .TP List all masters: # ipa\-replica\-manage list - srv1.example.com - srv2.example.com - srv3.example.com - srv4.example.com + srv1.example.com: master + srv2.example.com: master + srv3.example.com: master + srv4.example.com: master .TP List a server's replication agreements. # ipa\-replica\-manage list srv1.example.com - srv2.example.com - srv3.example.com + srv2.example.com: replica + srv3.example.com: replica .TP Re\-initialize a replica: # ipa\-replica\-manage re\-initialize \-\-from srv2.example.com -- 2.4.11 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0032] Secure permission and cleanup Custodia server.keys
Custodia's server.keys file contain the private RSA keys for encrypting and signing Custodia messages. The file was created with permission 644 and is only secured by permission 700 of the directory /etc/ipa/custodia. The installer and upgrader ensure that the file has 600. The server.keys file and all keys are now removed when during uninstallation of a server, too. https://bugzilla.redhat.com/show_bug.cgi?id=1353936 https://fedorahosted.org/freeipa/ticket/6015 https://fedorahosted.org/freeipa/ticket/6056 From de8f0f42f84eb5ce5e3efaf4336cbfab17793d21 Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Fri, 8 Jul 2016 20:06:57 +0200 Subject: [PATCH] Secure permission and cleanup Custodia server.keys Custodia's server.keys file contain the private RSA keys for encrypting and signing Custodia messages. The file was created with permission 644 and is only secured by permission 700 of the directory /etc/ipa/custodia. The installer and upgrader ensure that the file has 600. The server.keys file and all keys are now removed when during uninstallation of a server, too. https://bugzilla.redhat.com/show_bug.cgi?id=1353936 https://fedorahosted.org/freeipa/ticket/6015 https://fedorahosted.org/freeipa/ticket/6056 --- ipapython/secrets/kem.py | 58 ++- ipaserver/install/custodiainstance.py | 25 +++ 2 files changed, 70 insertions(+), 13 deletions(-) diff --git a/ipapython/secrets/kem.py b/ipapython/secrets/kem.py index d45efe8cc4fb63ae9d8c0b2c920fd1f9e5331a9d..a9238e1f7bf8d8cef393ad6b6d997c5cebea13f4 100644 --- a/ipapython/secrets/kem.py +++ b/ipapython/secrets/kem.py @@ -15,6 +15,8 @@ from jwcrypto.jwk import JWK from ipapython.secrets.common import iSecLdap from binascii import unhexlify import ldap +import errno +import os IPA_REL_BASE_DN = 'cn=custodia,cn=ipa,cn=etc' @@ -66,7 +68,7 @@ class KEMLdap(iSecLdap): 'princ': principal}) r = conn.search_s(self.keysbase, scope, ldap_filter) if len(r) != 1: -raise ValueError("Incorrect number of results (%d) searching for" +raise ValueError("Incorrect number of results (%d) searching for " "public key for %s" % (len(r), principal)) ipa_public_key = r[0][1]['ipaPublicKey'][0] jwk = self._parse_public_key(ipa_public_key) @@ -139,11 +141,29 @@ class KEMLdap(iSecLdap): mods = [(ldap.MOD_REPLACE, 'ipaPublicKey', public_key)] conn.modify_s(dn, mods) +def remove_key(self, usage, principal): +conn = self.connect() +scope = ldap.SCOPE_SUBTREE + +ldap_filter = self.build_filter(IPA_KEYS_QUERY, +{'usage': RFC5280_USAGE_MAP[usage], + 'princ': principal}) + +r = conn.search_s(self.keysbase, scope, ldap_filter) +if not r: +return False +for entry in r: +dn = r[0][0] +conn.delete_s(dn) +return True + def newServerKeys(path, keyid): skey = JWK(generate='RSA', use='sig', kid=keyid) ekey = JWK(generate='RSA', use='enc', kid=keyid) -with open(path, 'w+') as f: +with open(path, 'w') as f: +os.fchmod(f.fileno(), 0o600) +os.fchown(f.fileno(), 0, 0) f.write('[%s,%s]' % (skey.export(), ekey.export())) return [skey.get_op_key('verify'), ekey.get_op_key('encrypt')] @@ -177,6 +197,9 @@ class IPAKEMKeys(KEMKeysStore): self.ldap_uri = conf.get('global', 'ldap_uri', None) self._server_keys = None +def get_principal(self, servicename): +return '%s/%s@%s' % (servicename, self.host, self.realm) + def find_key(self, kid, usage): if kid is None: raise TypeError('Key ID is None, should be a SPN') @@ -187,7 +210,7 @@ class IPAKEMKeys(KEMKeysStore): self.generate_keys('host') def generate_keys(self, servicename): -principal = '%s/%s@%s' % (servicename, self.host, self.realm) +principal = self.get_principal(servicename) # Neutralize the key with read if any self._server_keys = None # Generate private key and store it @@ -197,6 +220,23 @@ class IPAKEMKeys(KEMKeysStore): ldapconn.set_key(KEY_USAGE_SIG, principal, pubkeys[0]) ldapconn.set_key(KEY_USAGE_ENC, principal, pubkeys[1]) +def remove_server_keys(self): +self.remove_keys('host') + +def remove_keys(self, servicename): +principal = self.get_principal(servicename) +self._server_keys = None +# remove keys from LDAP +ldapconn = KEMLdap(self.ldap_uri) +ldapconn.remove_key(KEY_USAGE_SIG, principal) +ldapconn.remove_key(KEY_USAGE_ENC, principal) +# remove server.keys file +try: +os.unlink(self.config['server_keys']) +except OSError as e: +if
Re: [Freeipa-devel] [PATCH 031] RedHatCAService should wait for local Dogtag instance
On 2016-07-07 14:54, Martin Basti wrote: > Patch needs changes in ipa-4-3 branch My patch? Do you want me to submit a patch for 4.3 branch? Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0179] Preserve user principal aliases during rename operation
On Tue, 2016-07-12 at 15:46 +0200, Martin Babinsky wrote: > On 07/12/2016 02:00 PM, Martin Babinsky wrote: > > > > On 07/12/2016 01:05 PM, Alexander Bokovoy wrote: > > > > > > On Mon, 11 Jul 2016, Martin Babinsky wrote: > > > > > > > > From 185bde00a76459430d95ff207bf1fb3fe31e811a Mon Sep 17 > > > > 00:00:00 2001 > > > > From: Martin Babinsky> > > > Date: Fri, 1 Jul 2016 18:09:04 +0200 > > > > Subject: [PATCH] Preserve user principal aliases during rename > > > > operation > > > > > > > > When a MODRDN is performed on the user entry, the MODRDN plugin > > > > resets > > > > both > > > > krbPrincipalName and krbCanonicalName to the value constructed > > > > from > > > > uid. In > > > > doing so, hovewer, any principal aliases added to the > > > > krbPrincipalName > > > > are > > > > wiped clean. In this patch old aliases are fetched before the > > > > MODRDN > > > > operation > > > > takes place and inserted back after it is performed. > > > > > > > > This also preserves previous user logins which can be used > > > > further for > > > > authentication as aliases. > > > > > > > > https://fedorahosted.org/freeipa/ticket/6028 > > > > --- > > > > ipaserver/plugins/baseuser.py | 46 > > > > +++ > > > > 1 file changed, 46 insertions(+) > > > > > > > > diff --git a/ipaserver/plugins/baseuser.py > > > > b/ipaserver/plugins/baseuser.py > > > > index > > > > 0052e718afe639bcc1c0a698ded39ea8407a0551..e4288a5a131157815ffb2 > > > > 452692a7edb342f6ac3 > > > > > > > > 100644 > > > > --- a/ipaserver/plugins/baseuser.py > > > > +++ b/ipaserver/plugins/baseuser.py > > > > @@ -498,6 +498,50 @@ class baseuser_mod(LDAPUpdate): > > > > len = > > > > int(config.get('ipamaxusernamelength')[0]) > > > > ) > > > > ) > > > > + > > > > +def preserve_krbprincipalname_pre(self, ldap, entry_attrs, > > > > *keys, > > > > **options): > > > > +""" > > > > +preserve user principal aliases during rename > > > > operation. This > > > > is the > > > > +pre-callback part of this. Another method called > > > > during > > > > post-callback > > > > +shall insert the principals back > > > > +""" > > > > +if options.get('rename', None) is None: > > > > +return > > > > + > > > > +try: > > > > +old_entry = ldap.get_entry( > > > > +entry_attrs.dn, attrs_list=( > > > > +'krbprincipalname', 'krbcanonicalname')) > > > > + > > > > +if 'krbcanonicalname' not in old_entry: > > > > +return > > > > +except errors.NotFound: > > > > +self.obj.handle_not_found(*keys) > > > > + > > > > +self.context.krbprincipalname = old_entry.get( > > > > +'krbprincipalname', []) > > > > + > > > > +def preserve_krbprincipalname_post(self, ldap, > > > > entry_attrs, > > > > **options): > > > > +""" > > > > +Insert the preserved aliases back to the user entry > > > > during > > > > rename > > > > +operation > > > > +""" > > > > +if options.get('rename', None) is None or not hasattr( > > > > +self.context, 'krbprincipalname'): > > > > +return > > > > + > > > > +obj_pkey = > > > > self.obj.get_primary_key_from_dn(entry_attrs.dn) > > > > +canonical_name = entry_attrs['krbcanonicalname'][0] > > > > + > > > > +principals_to_add = tuple(p for p in > > > > self.context.krbprincipalname if > > > > + p != canonical_name) > > > > + > > > > +if principals_to_add: > > > > +result = self.api.Command.user_add_principal( > > > > +obj_pkey, principals_to_add)['result'] > > > > + > > > > +entry_attrs['krbprincipalname'] = > > > > result.get('krbprincipalname', []) > > > > + > > > > def check_mail(self, entry_attrs): > > > > if 'mail' in entry_attrs: > > > > entry_attrs['mail'] = > > > > self.obj.normalize_and_validate_email(entry_attrs['mail']) > > > > @@ -557,9 +601,11 @@ class baseuser_mod(LDAPUpdate): > > > > > > > > self.check_objectclass(ldap, dn, entry_attrs) > > > > self.obj.convert_usercertificate_pre(entry_attrs) > > > > +self.preserve_krbprincipalname_pre(ldap, entry_attrs, > > > > *keys, > > > > **options) > > > > > > > > def post_common_callback(self, ldap, dn, entry_attrs, > > > > *keys, > > > > **options): > > > > assert isinstance(dn, DN) > > > > +self.preserve_krbprincipalname_post(ldap, entry_attrs, > > > > **options) > > > > if options.get('random', False): > > > > try: > > > > entry_attrs['randompassword'] = > > > > unicode(getattr(context, 'randompassword')) > > > > -- > > > > 2.5.5 > > > > > > > The approach looks good. > > > > > > For the record, we also support aliases
Re: [Freeipa-devel] [PATCH 0552] Vault: enable client side plugins CLI
On 07/12/2016 02:06 PM, Martin Babinsky wrote: > On 07/08/2016 04:36 PM, Alexander Bokovoy wrote: >> On Fri, 08 Jul 2016, Martin Basti wrote: >>> Patch attached. >>> https://fedorahosted.org/freeipa/ticket/6035 >> >>> From 2c97c316c1db49daeda15c709f082ee083a741ad Mon Sep 17 00:00:00 2001 >>> From: Martin Basti>>> Date: Fri, 8 Jul 2016 15:53:25 +0200 >>> Subject: [PATCH] Enable vault-* commands on client >>> >>> Client plugins fot vault commands were disabled by NO_CLI=True, >>> inherited from vault_add_interal, that is always NO_CLI=True. >>> Introduced by this commit 8278da6967dbe425b4e0c6cf37dc1c53052525b2 >>> >>> Removed NO_CLI=True from client side plugins for vault. >>> >>> https://fedorahosted.org/freeipa/ticket/6035 >> ACK. >> >> I haven't tested it but the change is obvious. >> > > And it works as expected, so ACK also from me. > master: * 9feeaca9fb552229638ce98086aa75905a45b48d Enable vault-* commands on client -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0184] vault-add: set the default vault type on the client side if none was given
On 07/12/2016 02:10 PM, Martin Babinsky wrote: Quick fix for https://fedorahosted.org/freeipa/ticket/6047 Note that it depends on mbasti's patch 552 (already acked) otherwise client-side vault commands would not be even visible in CLI. ACK. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] spec: require Dogtag >= 10.3.3-3
On 8.7.2016 06:52, Fraser Tweedale wrote: > On Thu, Jul 07, 2016 at 01:16:04PM +0200, Petr Spacek wrote: >> Hello, >> >> IPA 4.4.0 requires Dogtag >= 10.3.4. Is this version going to be built for >> Fedora any time soon? >> >> Or should I update my scripts to automatically enable >> COPR @freeipa/freeipa-master >> in my testing VMs? >> >> Thanks. >> Petr^2 Spacek >> > Hi Petr, > > The required features were released for Fedora as 10.3.3-3. > Attached patch retracts the min required version accordingly. ACK -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0184] vault-add: set the default vault type on the client side if none was given
Quick fix for https://fedorahosted.org/freeipa/ticket/6047 Note that it depends on mbasti's patch 552 (already acked) otherwise client-side vault commands would not be even visible in CLI. -- Martin^3 Babinsky From b2019ce4b1dbf16b52e43d89a3d113cd5d9efc93 Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Tue, 12 Jul 2016 13:44:49 +0200 Subject: [PATCH] vault-add: set the default vault type on the client side if none was given `vault-add` commands does much processing depending on the vault type even before the request is forwarded to remote server. Since default values for parameters are now filled only on server side, the client-side logic would fail if the vault type was not explicitly given. In this case we have to retrieve and use the default vault type from schema. https://fedorahosted.org/freeipa/ticket/6047 --- ipaclient/plugins/vault.py | 5 + 1 file changed, 5 insertions(+) diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py index 11210d6e1339f42598b39bcf599d3e6eacb5b9d8..b7e0cfffb2fff62fdbbf438964d124fc2dd8ac36 100644 --- a/ipaclient/plugins/vault.py +++ b/ipaclient/plugins/vault.py @@ -225,6 +225,11 @@ class vault_add(Local): def forward(self, *args, **options): vault_type = options.get('ipavaulttype') + +if vault_type is None: +internal_cmd = self.api.Command.vault_add_internal +vault_type = internal_cmd.params.ipavaulttype.default + password = options.get('password') password_file = options.get('password_file') public_key = options.get('ipavaultpublickey') -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0552] Vault: enable client side plugins CLI
On 07/08/2016 04:36 PM, Alexander Bokovoy wrote: On Fri, 08 Jul 2016, Martin Basti wrote: Patch attached. https://fedorahosted.org/freeipa/ticket/6035 From 2c97c316c1db49daeda15c709f082ee083a741ad Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Fri, 8 Jul 2016 15:53:25 +0200 Subject: [PATCH] Enable vault-* commands on client Client plugins fot vault commands were disabled by NO_CLI=True, inherited from vault_add_interal, that is always NO_CLI=True. Introduced by this commit 8278da6967dbe425b4e0c6cf37dc1c53052525b2 Removed NO_CLI=True from client side plugins for vault. https://fedorahosted.org/freeipa/ticket/6035 ACK. I haven't tested it but the change is obvious. And it works as expected, so ACK also from me. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0179] Preserve user principal aliases during rename operation
On 07/12/2016 01:05 PM, Alexander Bokovoy wrote: On Mon, 11 Jul 2016, Martin Babinsky wrote: From 185bde00a76459430d95ff207bf1fb3fe31e811a Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Fri, 1 Jul 2016 18:09:04 +0200 Subject: [PATCH] Preserve user principal aliases during rename operation When a MODRDN is performed on the user entry, the MODRDN plugin resets both krbPrincipalName and krbCanonicalName to the value constructed from uid. In doing so, hovewer, any principal aliases added to the krbPrincipalName are wiped clean. In this patch old aliases are fetched before the MODRDN operation takes place and inserted back after it is performed. This also preserves previous user logins which can be used further for authentication as aliases. https://fedorahosted.org/freeipa/ticket/6028 --- ipaserver/plugins/baseuser.py | 46 +++ 1 file changed, 46 insertions(+) diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index 0052e718afe639bcc1c0a698ded39ea8407a0551..e4288a5a131157815ffb2452692a7edb342f6ac3 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -498,6 +498,50 @@ class baseuser_mod(LDAPUpdate): len = int(config.get('ipamaxusernamelength')[0]) ) ) + +def preserve_krbprincipalname_pre(self, ldap, entry_attrs, *keys, **options): +""" +preserve user principal aliases during rename operation. This is the +pre-callback part of this. Another method called during post-callback +shall insert the principals back +""" +if options.get('rename', None) is None: +return + +try: +old_entry = ldap.get_entry( +entry_attrs.dn, attrs_list=( +'krbprincipalname', 'krbcanonicalname')) + +if 'krbcanonicalname' not in old_entry: +return +except errors.NotFound: +self.obj.handle_not_found(*keys) + +self.context.krbprincipalname = old_entry.get( +'krbprincipalname', []) + +def preserve_krbprincipalname_post(self, ldap, entry_attrs, **options): +""" +Insert the preserved aliases back to the user entry during rename +operation +""" +if options.get('rename', None) is None or not hasattr( +self.context, 'krbprincipalname'): +return + +obj_pkey = self.obj.get_primary_key_from_dn(entry_attrs.dn) +canonical_name = entry_attrs['krbcanonicalname'][0] + +principals_to_add = tuple(p for p in self.context.krbprincipalname if + p != canonical_name) + +if principals_to_add: +result = self.api.Command.user_add_principal( +obj_pkey, principals_to_add)['result'] + +entry_attrs['krbprincipalname'] = result.get('krbprincipalname', []) + def check_mail(self, entry_attrs): if 'mail' in entry_attrs: entry_attrs['mail'] = self.obj.normalize_and_validate_email(entry_attrs['mail']) @@ -557,9 +601,11 @@ class baseuser_mod(LDAPUpdate): self.check_objectclass(ldap, dn, entry_attrs) self.obj.convert_usercertificate_pre(entry_attrs) +self.preserve_krbprincipalname_pre(ldap, entry_attrs, *keys, **options) def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) +self.preserve_krbprincipalname_post(ldap, entry_attrs, **options) if options.get('random', False): try: entry_attrs['randompassword'] = unicode(getattr(context, 'randompassword')) -- 2.5.5 The approach looks good. For the record, we also support aliases for hosts and service kerberos principals but we don't support rename options for them, so there is no need to add similar logic there. That's right, I have updated the corresponding section of the design page [1] for future reference. [1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases#Management_framework -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0179] Preserve user principal aliases during rename operation
On Mon, 11 Jul 2016, Martin Babinsky wrote: From 185bde00a76459430d95ff207bf1fb3fe31e811a Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Fri, 1 Jul 2016 18:09:04 +0200 Subject: [PATCH] Preserve user principal aliases during rename operation When a MODRDN is performed on the user entry, the MODRDN plugin resets both krbPrincipalName and krbCanonicalName to the value constructed from uid. In doing so, hovewer, any principal aliases added to the krbPrincipalName are wiped clean. In this patch old aliases are fetched before the MODRDN operation takes place and inserted back after it is performed. This also preserves previous user logins which can be used further for authentication as aliases. https://fedorahosted.org/freeipa/ticket/6028 --- ipaserver/plugins/baseuser.py | 46 +++ 1 file changed, 46 insertions(+) diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index 0052e718afe639bcc1c0a698ded39ea8407a0551..e4288a5a131157815ffb2452692a7edb342f6ac3 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -498,6 +498,50 @@ class baseuser_mod(LDAPUpdate): len = int(config.get('ipamaxusernamelength')[0]) ) ) + +def preserve_krbprincipalname_pre(self, ldap, entry_attrs, *keys, **options): +""" +preserve user principal aliases during rename operation. This is the +pre-callback part of this. Another method called during post-callback +shall insert the principals back +""" +if options.get('rename', None) is None: +return + +try: +old_entry = ldap.get_entry( +entry_attrs.dn, attrs_list=( +'krbprincipalname', 'krbcanonicalname')) + +if 'krbcanonicalname' not in old_entry: +return +except errors.NotFound: +self.obj.handle_not_found(*keys) + +self.context.krbprincipalname = old_entry.get( +'krbprincipalname', []) + +def preserve_krbprincipalname_post(self, ldap, entry_attrs, **options): +""" +Insert the preserved aliases back to the user entry during rename +operation +""" +if options.get('rename', None) is None or not hasattr( +self.context, 'krbprincipalname'): +return + +obj_pkey = self.obj.get_primary_key_from_dn(entry_attrs.dn) +canonical_name = entry_attrs['krbcanonicalname'][0] + +principals_to_add = tuple(p for p in self.context.krbprincipalname if + p != canonical_name) + +if principals_to_add: +result = self.api.Command.user_add_principal( +obj_pkey, principals_to_add)['result'] + +entry_attrs['krbprincipalname'] = result.get('krbprincipalname', []) + def check_mail(self, entry_attrs): if 'mail' in entry_attrs: entry_attrs['mail'] = self.obj.normalize_and_validate_email(entry_attrs['mail']) @@ -557,9 +601,11 @@ class baseuser_mod(LDAPUpdate): self.check_objectclass(ldap, dn, entry_attrs) self.obj.convert_usercertificate_pre(entry_attrs) +self.preserve_krbprincipalname_pre(ldap, entry_attrs, *keys, **options) def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) +self.preserve_krbprincipalname_post(ldap, entry_attrs, **options) if options.get('random', False): try: entry_attrs['randompassword'] = unicode(getattr(context, 'randompassword')) -- 2.5.5 The approach looks good. For the record, we also support aliases for hosts and service kerberos principals but we don't support rename options for them, so there is no need to add similar logic there. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0149] help: Add dnsserver commands to help topic 'dns'
Hello, help: Add dnsserver commands to help topic 'dns' https://bugzilla.redhat.com/show_bug.cgi?id=1353888 -- Petr^2 Spacek From 28e5f4d195c891a2eba2970c8a915469a2b0447f Mon Sep 17 00:00:00 2001 From: Petr SpacekDate: Tue, 12 Jul 2016 12:53:52 +0200 Subject: [PATCH] help: Add dnsserver commands to help topic 'dns' https://bugzilla.redhat.com/show_bug.cgi?id=1353888 --- ipaserver/plugins/dnsserver.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ipaserver/plugins/dnsserver.py b/ipaserver/plugins/dnsserver.py index beddec04230d810479fff9612721cf12260bbb3a..c26be6ecb2caf59318c38010423c583bf0c50cd8 100644 --- a/ipaserver/plugins/dnsserver.py +++ b/ipaserver/plugins/dnsserver.py @@ -48,6 +48,8 @@ EXAMPLES: register = Registry() +topic = 'dns' + dnsserver_object_class = ['top', 'idnsServerConfigObject'] @register() -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0056] removed unused parameter from migrate-ds
On 07/11/2016 12:40 PM, Stanislav Laznicka wrote: https://fedorahosted.org/freeipa/ticket/6034 ACK -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0550] host-find: do not show SSH keys by default
On 07/08/2016 01:52 PM, Martin Basti wrote: Reproducible only with 2+ hosts, patch attached. https://fedorahosted.org/freeipa/ticket/6043 ACK. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] kdb: check for local realm in enterprise principals
On 07/11/2016 05:15 PM, Martin Babinsky wrote: > On 07/06/2016 07:01 PM, Sumit Bose wrote: >> Hi, >> >> although enterprise principals for trusted domains now are working as >> expected they do not work for the local domain: >> >> # kinit -E admin@IPA.DEVEL >> kinit: Client 'admin\@IPA.DEVEL@IPA.DEVEL' not found in Kerberos >> database while getting initial credentials >> >> Attached patch handles this case. It is not that nice because of the >> duplication of ipadb_fetch_principals() and ipadb_find_principal(). But >> I think there was a reason I do not remember why we didn't check for >> enterprise principals before checking the local database. If there is no >> such reason it might make sense to check for enterprise principals >> before doing the lookup. Please let me know if I should change the patch >> accordingly or if the current version is ok, >> >> bye, >> Sumit >> >> >> > Code looks ok to me and the patch fixes the issue, so ACK. > master: * 6d6da6b281173737bd31ba4845af11a097846c05 kdb: check for local realm in enterprise principals -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0183] ipa-advise: correct handling of plugin namespace iteration
On 07/11/2016 02:30 PM, Stanislav Laznicka wrote: > On 07/11/2016 02:18 PM, Martin Babinsky wrote: >> https://fedorahosted.org/freeipa/ticket/6044 >> >> >> > ACK. > > > master: * c1d8629b7490f443eededf0c0d0472d8285f85e8 ipa-advise: correct handling of plugin namespace iteration -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0182] ipa-compat-manage: use server API to retrieve plugin statu
On 07/12/2016 10:22 AM, Stanislav Laznicka wrote: > On 07/12/2016 10:02 AM, Stanislav Laznicka wrote: >> On 07/11/2016 10:50 AM, Martin Babinsky wrote: >>> Fixes regression reported in >>> https://fedorahosted.org/freeipa/ticket/6033 >>> >> Hello, >> >> The ticket is rather cryptic as it has ipa-compat-manage in header but >> describes error in ipa-nis-manage. Both scripts suffer with the very >> same error, could you fix the latter as well? >> >> Thanks, >> Standa > > Never mind, found the ipa-nis-manage patch posted earlier in the mailing > list ACKed although it probably hasn't been pushed yet. > > ACK. > master: * a5efeb449bba47dd430a7b8ffa594ace189252f4 ipa-compat-manage: use server API to retrieve plugin status -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [patch 0038-0040] Sub CA test patches
On 07/08/2016 06:06 AM, Fraser Tweedale wrote: > On Thu, Jul 07, 2016 at 03:46:52PM +0200, Milan Kubík wrote: >> On 07/04/2016 08:57 AM, Fraser Tweedale wrote: >>> Hi Milan, >> > Thanks Milan, > > All working for me now. ACK on all four patches. > > Cheers, > Fraser > master: * ea9b15f435c6327c6f642e3e8093796229d94598 ipatests: Tracker implementation for Sub CA feature * 5b37aaad7718bd0214053fd2e758ba7dc332e21d ipatests: Extend CAACL suite to cover Sub CA members * d88a12f1f59640bb6593169aa4c7ea204af18cee ipatests: Test Sub CA with CAACL and certificate profile * 0277a89825cf0d8d1099f537d9eb4ab1020751d2 ipatests: remove ipacertbase option from test CSR configuration -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0181] ipa-nis-manage: Use server API to retrieve plugin status
On 07/06/2016 11:18 AM, Florence Blanc-Renaud wrote: > On 07/04/2016 01:36 PM, Martin Babinsky wrote: >> https://fedorahosted.org/freeipa/ticket/6027 >> >> >> > Hi Martin, > > I tested your patch and it correctly fixes the issue. > Ack, > > Flo. > master: * c5cc79f1ad2ef1eb81ad3d9cea2882a7ae1825b2 ipa-nis-manage: Use server API to retrieve plugin status -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0087 uninstall: untrack lightweight CA certs
On 07/04/2016 10:18 AM, Martin Babinsky wrote: > On 07/04/2016 05:10 AM, Fraser Tweedale wrote: >> The attached patch fixes >> https://fedorahosted.org/freeipa/ticket/6020 >> >> Thanks, >> Fraser >> >> >> > ACK. > master: * 88841a561922fd9a57f3c473833f2ff26c8061ec uninstall: untrack lightweight CA certs -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0182] ipa-compat-manage: use server API to retrieve plugin statu
On 07/12/2016 10:02 AM, Stanislav Laznicka wrote: On 07/11/2016 10:50 AM, Martin Babinsky wrote: Fixes regression reported in https://fedorahosted.org/freeipa/ticket/6033 Hello, The ticket is rather cryptic as it has ipa-compat-manage in header but describes error in ipa-nis-manage. Both scripts suffer with the very same error, could you fix the latter as well? Thanks, Standa Never mind, found the ipa-nis-manage patch posted earlier in the mailing list ACKed although it probably hasn't been pushed yet. ACK. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0182] ipa-compat-manage: use server API to retrieve plugin statu
On 07/11/2016 10:50 AM, Martin Babinsky wrote: Fixes regression reported in https://fedorahosted.org/freeipa/ticket/6033 Hello, The ticket is rather cryptic as it has ipa-compat-manage in header but describes error in ipa-nis-manage. Both scripts suffer with the very same error, could you fix the latter as well? Thanks, Standa -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0089 caacl: expand plugin documentation
On Tue, 12 Jul 2016, Fraser Tweedale wrote: Attached patch is a doc change, addressing https://fedorahosted.org/freeipa/ticket/6002. Thanks, Fraser From 19c5fc60391d37c9d0500feb5d5d5a6628bc4d27 Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Tue, 12 Jul 2016 15:11:11 +1000 Subject: [PATCH] caacl: expand plugin documentation Expand the 'caacl' plugin documentation to explain some common confusions including the fact that CA ACLs apply to the target subject principal (not necessarily the principal requesting the cert), and the fact that CA-less CA ACL implies the 'ipa' CA. Fixes: https://fedorahosted.org/freeipa/ticket/6002 --- ipaserver/plugins/caacl.py | 34 -- 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py index 9a60f7e27809c4f41b160647efafde94dbe90bf0..d316cc7c48cf2997d6be6b052dc1efa6d6fcdb6a 100644 --- a/ipaserver/plugins/caacl.py +++ b/ipaserver/plugins/caacl.py @@ -23,14 +23,36 @@ if six.PY3: __doc__ = _(""" Manage CA ACL rules. -This plugin is used to define rules governing which principals are -permitted to have certificates issued using a given certificate -profile. +This plugin is used to define rules governing which CAs and profiles +may be used to issue certificates to particular principals or groups +of principals. -PROFILE ID SYNTAX: +SUBJECT PRINCIPAL SCOPE: -A Profile ID is a string without spaces or punctuation starting with a letter -and followed by a sequence of letters, digits or underscore ("_"). +For a certificate request to be allowed, the principal(s) that are +the subject of a certificate request (not necessarily the principal +actually requesting the certificate) must be included in the scope +of a CA ACL that also includes the target CA and profile. + +Users can be included by name, group or the "all users" category. +Hosts can be included by name, hostgroup or the "all hosts" +category. Services can be included by service name or the "all +services" category. CA ACLs may be associated with a single type of +principal, or multiple types. + +CERTIFICATE AUTHORITY SCOPE: + +A CA ACL can be associated with one or more CAs by name, or by the +"all CAs" category. For compatibility reasons, a CA ACL with no CA +association implies an association with the 'ipa' CA (and only this +CA). + +PROFILE SCOPE: + +A CA ACL can be associated with one or more profiles by Profile ID. +The Profile ID is a string without spaces or punctuation starting +with a letter and followed by a sequence of letters, digits or +underscore ("_"). EXAMPLES: ACK. Reads well. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0057] Don't show part of warning containing --force-ntpd in replica install
On 07/11/2016 04:27 PM, Petr Vobornik wrote: On 07/11/2016 01:23 PM, Stanislav Laznicka wrote: https://fedorahosted.org/freeipa/ticket/6046 Isn't the bug about something else? The issue was that ipa-replica-install doesn't have --force-ntpd option. It is an option of ipa-client-install which is run from replica installer. The unattended mode is unrelated. My understanding is that the bug says that '--force-ntpd' option should not be shown when ipa-client-install is run during replica installation. During replica installation, the ipa-client-install script is run with the '--unattended' flag in the 'ensure_enrolled()' function. Being a separate script, there's not many options on how to pass the information not to show the message to ipa-client-install. Using the already used flag to get rid of the message seemed easiest to me. Introducing a new 'hidden' flag (like '--from-replica'), on the other hand, seems a bit harsh. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code